mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-13 22:30:37 +08:00
Translated by qhwdw
This commit is contained in:
qhwdw
parent
9684a00296
commit
3ff4c04288
@ -1,147 +0,0 @@
|
||||
Translating by qhwdw
|
||||
Protecting Code Integrity with PGP — Part 7: Protecting Online Accounts
|
||||
======
|
||||
|
||||
|
||||
So far in this tutorial series, we've provided practical guidelines for using PGP, including basic concepts and steps for generating and protecting your keys. If you missed the previous articles, you can catch up below. In this final article, we offer additional guidance for protecting your online accounts, which is of paramount importance today.
|
||||
|
||||
[Part 1: Basic Concepts and Tools][1]
|
||||
|
||||
[Part 2: Generating Your Master Key][2]
|
||||
|
||||
[Part 3: Generating PGP Subkeys][3]
|
||||
|
||||
[Part 4: Moving Your Master Key to Offline Storage][4]
|
||||
|
||||
[Part 5: Moving Subkeys to a Hardware Device][5]
|
||||
|
||||
[Part 6: Using PGP with Git][6]
|
||||
|
||||
### Checklist
|
||||
|
||||
* Get a U2F-capable device (ESSENTIAL)
|
||||
|
||||
* Enable 2-factor authentication for your online accounts (ESSENTIAL)
|
||||
|
||||
* GitHub/GitLab
|
||||
|
||||
* Google
|
||||
|
||||
* Social media
|
||||
|
||||
* Use U2F as primary mechanism, with TOTP as fallback (ESSENTIAL)
|
||||
|
||||
|
||||
|
||||
|
||||
#### Considerations
|
||||
|
||||
You may have noticed how a lot of your online developer identity is tied to your email address. If someone can gain access to your mailbox, they would be able to do a lot of damage to you personally, and to your reputation as a free software developer. Protecting your email accounts is just as important as protecting your PGP keys.
|
||||
|
||||
##### Two-factor authentication with Fido U2F
|
||||
|
||||
[Two-factor authentication][7] is a mechanism to improve account security by requiring a physical token in addition to a username and password. The goal is to make sure that even if someone steals your password (via keylogging, shoulder surfing, or other means), they still wouldn't be able to gain access to your account without having in their possession a specific physical device ("something you have" factor).
|
||||
|
||||
The most widely known mechanisms for 2-factor authentication are:
|
||||
|
||||
* SMS-based verification
|
||||
|
||||
* Time-based One-Time Passwords (TOTP) via a smartphone app, such as the "Google Authenticator" or similar solutions
|
||||
|
||||
* Hardware tokens supporting Fido U2F
|
||||
|
||||
|
||||
|
||||
|
||||
SMS-based verification is easiest to configure, but has the following important downsides: it is useless in areas without signal (e.g. most building basements), and can be defeated if the attacker is able to intercept or divert SMS messages, for example by cloning your SIM card.
|
||||
|
||||
TOTP-based multi-factor authentication offers more protection than SMS, but has important scaling downsides (there are only so many tokens you can add to your smartphone app before finding the correct one becomes unwieldy). Plus, there's no avoiding the fact that your secret key ends up stored on the smartphone itself -- which is a complex, globally connected device that may or may not have been receiving timely security patches from the manufacturer.
|
||||
|
||||
Most importantly, neither TOTP nor SMS methods protect you from phishing attacks -- if the phisher is able to steal both your account password and the 2-factor token, they can replay them on the legitimate site and gain access to your account.
|
||||
|
||||
[Fido U2F][8] is a standard developed specifically to provide a mechanism for 2-factor authentication and to combat credential phishing. The U2F protocol will store each site's unique key on the USB token and will prevent you from accidentally giving the attacker both your password and your one-time token if you try to use it on anything other than the legitimate website.
|
||||
|
||||
Both Chrome and Firefox support U2F 2-factor authentication, and hopefully other browsers will soon follow.
|
||||
|
||||
##### Get a token capable of Fido U2F
|
||||
|
||||
There are [many options available][9] for hardware tokens with Fido U2F support, but if you're already ordering a smartcard-capable physical device, then your best option is a Yubikey 4, which supports both.
|
||||
|
||||
##### Enable 2-factor authentication on your online accounts
|
||||
|
||||
You definitely want to enable this option on the email provider you are using (especially if it is Google, which has excellent support for U2F). Other sites where this functionality should be enabled are:
|
||||
|
||||
* GitHub: it probably occurred to you when you uploaded your PGP public key that if anyone else is able to gain access to your account, they can replace your key with their own. If you publish code on GitHub, you should take care of your account security by protecting it with U2F-backed authentication.
|
||||
|
||||
* GitLab: for the same reasons as above.
|
||||
|
||||
* Google: if you have a google account, you will be surprised how many sites allow logging in with Google authentication instead of site-specific credentials.
|
||||
|
||||
* Facebook: same as above, a lot of online sites offer the option to authenticate using a Facebook account. You should 2-factor protect your Facebook account even if you do not use it.
|
||||
|
||||
* Other sites, as you deem necessary. See [dongleauth.info][10] for inspiration.
|
||||
|
||||
|
||||
|
||||
|
||||
##### Configure TOTP failover, if possible
|
||||
|
||||
Many sites will allow you to configure multiple 2-factor mechanisms, and the recommended setup is:
|
||||
|
||||
* U2F token as the primary mechanism
|
||||
|
||||
* TOTP phone app as the secondary mechanism
|
||||
|
||||
|
||||
|
||||
|
||||
This way, even if you lose your U2F token, you should be able to re-gain access to your account. Alternatively, you can enroll multiple U2F tokens (e.g. you can get another cheap token that only does U2F and use it for backup reasons).
|
||||
|
||||
### Further reading
|
||||
|
||||
By this point you have accomplished the following important tasks:
|
||||
|
||||
1. Created your developer identity and protected it using PGP cryptography.
|
||||
|
||||
2. Configured your environment so your identity is not easily stolen by moving your master key offline and your subkeys to an external hardware device.
|
||||
|
||||
3. Configured your git environment to ensure that anyone using your project is able to verify the integrity of the repository and its entire history.
|
||||
|
||||
4. Secured your online accounts using 2-factor authentication.
|
||||
|
||||
|
||||
|
||||
|
||||
You are already in a good place, but you should also read up on the following topics:
|
||||
|
||||
* How to secure your team communication (see the document in this repository). Decisions regarding your project development and governance require just as much careful protection as any committed code, if not so. Make sure that your team communication is trusted and the integrity of all decisions is verified.
|
||||
|
||||
* How to secure your workstation (see the document in this repository). Your goal is to minimize risky behaviour that would cause your project code to be contaminated, or your developer identity to be stolen.
|
||||
|
||||
* How to write secure code (see various documentation related to the programming languages and libraries used by your project). Bad, insecure code is still bad, insecure code even if there is a PGP signature on the commit that introduced it.
|
||||
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-7-protecting-online-accounts
|
||||
|
||||
作者:[Konstantin Ryabitsev][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
选题:[lujun9972](https://github.com/lujun9972)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.linux.com/users/mricon
|
||||
[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools
|
||||
[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key
|
||||
[3]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys
|
||||
[4]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-4-moving-your-master-key-offline-storage
|
||||
[5]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-5-moving-subkeys-hardware-device
|
||||
[6]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-6-using-pgp-git
|
||||
[7]:https://en.wikipedia.org/wiki/Multi-factor_authentication
|
||||
[8]:https://en.wikipedia.org/wiki/Universal_2nd_Factor
|
||||
[9]:http://www.dongleauth.info/dongles/
|
||||
[10]:http://www.dongleauth.info/
|
||||
@ -0,0 +1,145 @@
|
||||
保护代码完整性(七):保护在线帐户
|
||||
======
|
||||
|
||||
|
||||
到目前为止,本系列教程已经提供了 PGP 的实用指南,包括基本概念和工具、生成和保护你的密钥的步骤。如果你错过了前面的文章,可以通过下面的链接查看。在本系列的最后一篇文章中,我们将为你保护在线帐户提供一个额外的指南,保护在线帐户是当今非常重要的一件事情。
|
||||
|
||||
[第一部分:基本概念和工具][1]
|
||||
|
||||
[第二部分:生成你的主密钥][2]
|
||||
|
||||
[第三部分:生成 PGP 子密钥][3]
|
||||
|
||||
[第四部分:将主密钥移到离线存储中][4]
|
||||
|
||||
[第五部分:将子密钥移到硬件设备中][5]
|
||||
|
||||
[第六部分:在 Git 中使用 PGP][6]
|
||||
|
||||
### 清单
|
||||
|
||||
* 取得一个具备 U2F 功能的设备(必要)
|
||||
|
||||
* 为你的在线帐户启用双因子认证(必要)
|
||||
|
||||
* GitHub/GitLab
|
||||
|
||||
* Google
|
||||
|
||||
* 社交媒体
|
||||
|
||||
* 使用 U2F 作为主验证机制,使用 TOTP 作为备选(必要)
|
||||
|
||||
|
||||
|
||||
|
||||
#### 考虑事项
|
||||
|
||||
你可能注意到,很多在线开发者身份是捆绑了你的 email 地址。如果有人能够访问你的邮箱,他们就能够去做一些对你会产生危害的事情,进而会损害你作为自由软件开发者的声誉。应该像保护你的 PGP 密钥那样保护你的 email 地址。
|
||||
|
||||
##### 使用 Fido U2F 的双因子认证
|
||||
|
||||
[双因子认证][7] 是一种提升帐户安全性的机制,它除了要求用户名和密码之外,还要求一个物理令牌。它的目标是即便在有人窃取了你的密码(通过按键记录器、肩窥攻击、或其它方式)的情况下,仍然能确保你的帐户安全,他们在没有得到你的一个专用的物理设备(“必备”的那个因子)的情况下,始终不能获取你的帐户。
|
||||
|
||||
广为人知的双因子认证机制有:
|
||||
|
||||
* 基于 SMS 的验证
|
||||
|
||||
* 借助智能手机应用的基于时间的一次性令牌(TOTP),比如 "Google Authenticator" 或类似解决方案
|
||||
|
||||
* 支持 Fido U2F 的硬件令牌
|
||||
|
||||
|
||||
|
||||
|
||||
基于 SMS 的验证很容易配置,但是它有如下的缺点:它在没有手机信号的地方无法使用(比如,建筑物的地下室),并且如果攻击者能够阻断或转向 SMS 信息,这种方式可能就会失败,比如通过克隆你的 SIM 卡。
|
||||
|
||||
基于 TOTP 的多因子认证提供了比 SMS 更好的安全保护,但它也有一些重要的缺点(在你能够找到一个合适的令牌之前,你只能在智能手机中添加那么多令牌)。此外,还不能避免一个事实,那就是你的密钥最终还是保存在你的智能手机中 —— 它是一个复杂的、全球连接的设备,它有可能还没有及时从制造商那儿收到安全补丁。
|
||||
|
||||
更重要的是,不论是使用 TOTP 还是 SMS 的方法保护你免受诱骗攻击 —— 如果诱骗攻击者能够窃取你的帐户密码和双因子令牌,他们就可以在合法的站点上使用它们,访问你的帐户。
|
||||
|
||||
[Fido U2F][8] 是一个按标准开发的专用设备,它能够提供双因子认证机制来对付诱骗攻击。U2F 协议在 USB 令牌中保存每个站点的的唯一密钥,如果你在任何合法站点以外的地方尝试使用它,它将阻止你,以防范偶然让攻击者获得你的密码和一次性令牌。
|
||||
|
||||
Chrome 和 Firefox 都支持 U2F 双因子认证,希望其它浏览器也能够提供对 U2F 的支持。
|
||||
|
||||
##### 获得一个支持 Fido U2F 功能的令牌
|
||||
|
||||
支持 U2F 的硬件令牌的 [可选目标很多][9],但如果你已经订购了一个支持智能卡的物理设备,那么你最好的选择就是 Yubikey 4,它两者都支持。
|
||||
|
||||
##### 启用你的在线帐户的双因子认证
|
||||
|
||||
你要确定你想去启用的选项,你的 email 提供商已经使用了(特别是 Google,它对 U2F 的支持非常好)。其它的站点这个功能应该是启用了:
|
||||
|
||||
* GitHub:当你上传你的 PGP 公钥时,你应该要想到,如果其他人能够获得访问你的帐户,他们可以用他们自己的 PGP 公钥替换掉你的 PGP 公钥。如果在 GitHub 上发布代码,你应该使用 U2F 认证来保护你的帐户安全。
|
||||
|
||||
* GitLab:理由同上
|
||||
|
||||
* Google:如果你有 google 帐户,你就惊奇地发现,许多帐户都允许以 Google 帐户来代替站点专用的认证来登入它们。
|
||||
|
||||
* Facebook:理由同上,许多在线站点都提供一个选择让你以 Facebook 的帐户来认证。即便你不使用 Facebook 也应该使用双因子认证来保护你的 Facebook 帐户。
|
||||
|
||||
* 你认为必要的其它站点。查看 [dongleauth.info][10] 去找找灵感。
|
||||
|
||||
|
||||
|
||||
|
||||
##### 如有可能,配置 TOTP 作为备选
|
||||
|
||||
许多站点都允许你配置多个双因子认证机制,推荐的设置是:
|
||||
|
||||
* U2F 令牌作为主认证机制
|
||||
|
||||
* TOTP 手机 app 作为辅助认证机制
|
||||
|
||||
|
||||
|
||||
|
||||
通过这种方式,即便你丢失了你的 U2F 令牌,你仍然能够重新获取对你的帐户的访问。或者,你可以注册多个 U2F 令牌(即:你可以用一个便宜的令牌仅用它做 U2F,并且将它用作备份)。
|
||||
|
||||
### 延伸阅读
|
||||
|
||||
到目前为止,你已经完成了下列的重要任务:
|
||||
|
||||
1. 创建你的开发者身份并使用 PGP 加密来保护它。
|
||||
|
||||
2. 通过将你的主密钥移到一个离线存储中并将子密钥移到一个外置硬件设备中的方式来配置你的环境,让窃取你的身份变得极为困难。
|
||||
|
||||
3. 配置你的 Git 环境去确保任何使用你项目的人都能够验证仓库的完整性和它的整个历史。
|
||||
|
||||
4. 使用双因子认证强化你的在线帐户。
|
||||
|
||||
|
||||
|
||||
|
||||
在安全保护方面,你已经做的很好了,但是你还应该去阅读以下的主题:
|
||||
|
||||
* 如何去强化你的团队沟通(在这个仓库中查看相关文档)。你的项目开发和治理决策的要求应该和保护提交代码那样去保护,如果不这样做,应该确保你的团队沟通是可信任的,并且所有决策的完整性是可验证的。
|
||||
|
||||
* 如何去强化你的工作站的安全(在这个仓库中查看相关文档)。你的目标是最小化可能导致项目代码被污染的危险或你的开发者身份被窃的行为。
|
||||
|
||||
* 如何写出安全的代码(查看相关编程语言和你项目所使用的库的各种文档)。即便引入它的提交代码上有一个 PGP 签名,糟糕的、不安全的代码仍然是糟糕的、不安全的代码!
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-7-protecting-online-accounts
|
||||
|
||||
作者:[Konstantin Ryabitsev][a]
|
||||
译者:[qhwdw](https://github.com/qhwdw)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
选题:[lujun9972](https://github.com/lujun9972)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.linux.com/users/mricon
|
||||
[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools
|
||||
[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key
|
||||
[3]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys
|
||||
[4]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-4-moving-your-master-key-offline-storage
|
||||
[5]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-5-moving-subkeys-hardware-device
|
||||
[6]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-6-using-pgp-git
|
||||
[7]:https://en.wikipedia.org/wiki/Multi-factor_authentication
|
||||
[8]:https://en.wikipedia.org/wiki/Universal_2nd_Factor
|
||||
[9]:http://www.dongleauth.info/dongles/
|
||||
[10]:http://www.dongleauth.info/
|
||||
Loading…
Reference in New Issue
Block a user