身份验证,https和安全性。 [英] Authentication, https and security.
问题描述
我目前正在使用内置于apache中的基本http
身份验证对我构建的网站进行身份验证。这在php上没有任何开销,这是一个
的奖金,但它似乎不太适合我喜欢的工作。
用户名和密码是出现加密的登录框?
当我登录 https:// mysite .local:portnum 我得到了登录对话框。由于我是使用自签名证书的
,我看到对话框在登录框之前首先警告我
。一切都很好。但是,当我交换http为
https时,我没有按预期获得安全证书警告。我仍然
获取我认为未加密的登录框。不好用户
和密码必须是明文发送的。
如果是这种情况,为了更好的程序开销我可以确保一个
我的所有文件上的php标头通过http访问控制。但是我为图像和其他非PHP文件做了什么?
有什么想法吗?
Pete
-
http://www.petezilla.co .uk
*** Peter Chant写道/escribió(星期二,2005年8月16日19:52:27 +0100):登录框中的用户名和密码是否加密?
尝试Mozilla / Firefox的Live HTTP Headers扩展。您将看到
用户和密码在每个页面的标题中以纯文本形式发送
请求。 BTW就是大多数认证系统的情况。
当我登录 https://mysite.local:portnum 我收到登录对话框。当我使用自签名证书时,我看到对话框在登录框之前首先警告我
它。一切都很好。但是,当我为http /> https交换http时,我没有按预期获得安全证书警告。我仍然得到我认为未加密的登录框。不好用户
和密码必须已发送明文。
确保所有页面内容都已加密。对于所有效果,
https://www.example.com/ 和 http://www.example.com/submit.png 属于< br $> b $ b不同的网站。
-
- álvaroG。Vicario - 西班牙布尔戈斯
- http://bits.demogracia.com - Mi sitiosobreprogramaciónweb
- 不要给我发电子邮件给你,把它们发给小组
-
Alvaro G Vicario写道:
*** Peter Chant写道/escribió(星期二,2005年8月16日19:52:27 +0100):是用户名出现在加密的登录框中的密码和密码?
尝试Mozilla / Firefox的Live HTTP Headers扩展。您将看到
用户和密码在每个页面的标题中以纯文本形式发送
请求。 BTW就是大多数认证系统的情况。
即使使用https?
确保所有页面内容是加密的。对于所有效果,
https://www.example.com/ 和 http://www.example.com/submit.png 属于<不同的网站。
是的,但是我使用了 https://www.example.com:4430 当我在
端口4430上运行服务器时,我尝试时仍然有密码对话框
http://www.example.com:4430 让我思考在这两种情况下
身份验证都没有密码保护。
Pete
-
http://www.petezilla.co.uk
*** Peter Chant写道/escribió(星期四,2005年8月18日08:05:29 +0100):登录框中的用户名和密码是否加密?
尝试使用Live HTTP Headers扩展火狐浏览器。您将看到
用户和密码在每个页面的标题中以纯文本形式发送
请求。 BTW就是大多数身份验证系统的情况。
即使在HTTP上使用https?
HTTPS SSL。它是加密HTTP的协议
通信:底层HTTP,*一旦解密*,保持不变。
我只是想,如果你''关注HTTP的安全性
身份验证(你有充分的理由),使用HTTPS是一个非常好的想法。
$ blockquote class =post_quotes>确保所有页面内容都已加密。对于所有效果,
https://www.example.com/ 和 http://www.example.com/submit.png 属于<不同的网站。
是的,但是我使用了 https://www.example.com:4430 我在
端口4430上运行服务器,当我尝试时仍然有密码对话框
http://www.example.com:4430 让我认为在这两种情况下
身份验证不受密码保护。
我不确定您的确切问题,但如果您的表单是在
HTTPS下处理的,那么表格本身没有加密无关紧。
: - ?
-
- álvaroG Vicario - 西班牙布尔戈斯
- < a rel =nofollowhref =http://bits.demogracia.comtarget =_ blank> http://bits.demogracia.com - Mi sitiosobreprogramaciónweb
- 不要给我发电子邮件给你,把它们发给小组
-
I''m currently authenticating a site I have built using basic http
authentication built into apache. This has zero overhead on php which is a
bonus but it seems to not quite work how I''d like.
Are the username and password in the login box that comes up encrypted?
When I login https://mysite.local:portnum I get the login dialog. As I am
using a self signed certificate I see the dialog stating warning me about
it first before the login box. All is good. However, when I swap http for
https I do not get the security certificate warning, as expected. I still
get the login box which I assume is not encrypted. Not good as the user
and password must have been sent plaintext.
If this is the case, for greater programmig overhead I could ensure that a
php header on all my files delt with access control via http. But what do
I do for images and other non php files?
Any ideas?
Pete
--
http://www.petezilla.co.uk
*** Peter Chant wrote/escribió (Tue, 16 Aug 2005 19:52:27 +0100):Are the username and password in the login box that comes up encrypted?
Try the Live HTTP Headers extension for Mozilla/Firefox. You''ll see that
user and password are sent as plain text within headers on every page
request. Which, BTW, is the case of most authentication systems.
When I login https://mysite.local:portnum I get the login dialog. As I am
using a self signed certificate I see the dialog stating warning me about
it first before the login box. All is good. However, when I swap http for
https I do not get the security certificate warning, as expected. I still
get the login box which I assume is not encrypted. Not good as the user
and password must have been sent plaintext.
Make sure all page contents are encrypted. To all effects,
https://www.example.com/ and http://www.example.com/submit.png belong to
different web sites.
--
-- álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don''t e-mail me your questions, post them to the group
--
Alvaro G Vicario wrote:
*** Peter Chant wrote/escribió (Tue, 16 Aug 2005 19:52:27 +0100):Are the username and password in the login box that comes up encrypted?
Try the Live HTTP Headers extension for Mozilla/Firefox. You''ll see that
user and password are sent as plain text within headers on every page
request. Which, BTW, is the case of most authentication systems.
Even when using https?
Make sure all page contents are encrypted. To all effects,
https://www.example.com/ and http://www.example.com/submit.png belong to
different web sites.
Yes, but I used https://www.example.com:4430 as I was running the server on
port 4430 and I still got the password dialog box when I tried
http://www.example.com:4430 leading me to think that in both cases
authentication was not password protected.
Pete
--
http://www.petezilla.co.uk
*** Peter Chant wrote/escribió (Thu, 18 Aug 2005 08:05:29 +0100):Are the username and password in the login box that comes up encrypted?
Try the Live HTTP Headers extension for Mozilla/Firefox. You''ll see that
user and password are sent as plain text within headers on every page
request. Which, BTW, is the case of most authentication systems.
Even when using https?
HTTPS in only HTTP over SSL. It''s a protocol to encrypt HTTP
communications: the underlying HTTP, *once decrypted*, remains the same.
I just meant that, if you''re concerned about the security of HTTP
authentication (and you have good reasons to), using HTTPS is a very good
idea.
Make sure all page contents are encrypted. To all effects,
https://www.example.com/ and http://www.example.com/submit.png belong to
different web sites.
Yes, but I used https://www.example.com:4430 as I was running the server on
port 4430 and I still got the password dialog box when I tried
http://www.example.com:4430 leading me to think that in both cases
authentication was not password protected.
I''m not sure about your exact problem but if your form is processed under
HTTPS, it doesn''t matter that the form itself is not encrypted.
:-?
--
-- álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don''t e-mail me your questions, post them to the group
--
这篇关于身份验证,https和安全性。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
