嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内。首先,我需要快速浏览一下文章内容,抓住主要信息。 文章讲的是一个Firefox扩展,用来实时检测中间人攻击。核心思路是不依赖黑名单,而是关注代理难以隐藏的特征。检测分为四个层面:DNS、HTTP头、TLS和DOM。每个层面都有具体的方法,比如DNS检查熵值、 punycode等,HTTP头检查CSP和HSTS等。 技术方面,引擎用的是Rust编译成WASM,JS层很薄,作为安全考虑。测试结果显示对Evilginx有效,没有误报。不过CDN网站可能会触发误报,还在优化中。 现在要把这些信息浓缩到100字以内。重点包括:Firefox扩展、实时检测中间人攻击、四个检测层面、Rust/WASM技术、测试结果和优化方向。 可能的结构是:介绍扩展用途,检测方法和技术,测试结果和限制。这样既全面又简洁。 最后检查一下字数,确保不超过限制。 </think> 该文章介绍了一个用于实时检测中间人攻击的Firefox扩展,通过分析DNS、HTTP头、TLS和DOM四个层面的特征来识别潜在威胁,并采用Rust编译为WASM以增强安全性。测试显示其对Evilginx等工具有效且无误报,但需优化CDN相关场景。 2026-3-10 07:43:45 Author: www.reddit.com(查看原文) 阅读量:4 收藏
I built a Firefox extension to detect Adversary-in-the-Middle attacks in real time.
The core idea: instead of chasing blacklists (a losing game when domains cost $3),
look at what the proxy cannot easily hide.
Detection runs across four layers:
- DNS: entropy, punycode/homograph, typosquatting, subdomain anomalies
- HTTP headers: missing CSP/HSTS, proxy header signatures
- TLS: certificate age anomalies
- DOM: MutationObserver scanning for domain mismatch between the current URL
and page content — this is the killer signal against Evilginx-style kits
The engine is pure Rust compiled to WASM. JS is a deliberately thin interface
layer only — a conscious security decision.
Tested against a live Evilginx deployment: 1.00 CRITICAL. Zero false positives
on 10+ legitimate sites including Google, Apple, PayPal, and several EU banks.
There is a grey area — CDN-heavy sites (Amazon, PayPal) trigger ProxyHeaderDetected
via CloudFront. Still working on a neater model for that.
Submitted to Mozilla Add-ons — pending review. Happy to discuss the detection
model or the Rust/WASM architecture.
如有侵权请联系:admin#unsafe.sh