如何在没有 HTTPS 的情况下使用 Javascript 通过 HTTP 安全地发送密码? [英] How to send password securely via HTTP using Javascript in absence of HTTPS?

问题描述

所有开发人员都面临的最基本问题:每当用户提交表单时，密码都是通过网络发送的，并且必须受到保护.我开发的网站没有 HTTPS.所有者既不想购买 SSL 证书，也不想购买自签名证书.所以我想在提交表单时使用 Javascript 保护通过 HTTP 发送的密码.

The very basic issue all developers face: Whenever user submits the form, the password is sent via network and it must be protected. The site I develop for doesn't have HTTPS. Neither does the owner want to buy a SSL certificate, nor is he interested in a self-signed one. So I want to protect the password sent via HTTP using Javascript when submitting form.

致急于投票的人:如何通过 HTTP 安全地发送密码? 没有给出任何合理的解决方案，我处于另一种情况.

To eager downvoters: How to send password securely over HTTP? DOES NOT give any sensible solution and I am in another situation.

如果我使用 MD5，则可以反转该密码字符串.nonce/HMAC 怎么样?任何可用的Javascript库?或者你有什么建议/提示要解决?提前致谢！

If I use MD5, one can reverse that password string. What about nonce/HMAC? Any available Javascript library for that? Or do you have any suggestion/hint to tackle? Thanks in advance!

推荐答案

没有 SSL，就无法安全地发送密码用户可以验证.

There is no way to send a password securely that the user can verify without SSL.

当然，您可以编写一些 JavaScript，通过散列或公钥加密来确保密码安全，以便进行在线传输.但是，用户如何确保 JavaScript 本身在到达他们之前没有被中间人篡改，将密码发送给攻击者而不是网站，甚至只是危及网站的安全性?算法?唯一的方法是让他们成为专家程序员，让他们检查页面和脚本的每一行，以确保在输入密码之前它是 kosher 的.这不是一个现实的场景.

Sure, you can write some JavaScript that will make a password secure for over-the-wire transmission through hashing or public-key-encryption. But how can the user be sure that the JavaScript itself has not been tampered with by a man-in-the-middle before it reached them, to send the password to an attacker instead of the site, or even just compromise the security of the algorithm? The only way would be for them to be expert programmers and have them inspect every line of your page and script to ensure it was kosher before typing the password. That is not a realistic scenario.

如果您希望密码免受中间人攻击，您必须购买 SSL 证书.没有其他办法.习惯了.

If you want passwords to be safe from man-in-the-middle attacks, you must buy an SSL cert. There is no other way. Get used to it.

如果我使用 MD5，则可以反转该密码字符串.

If I use MD5, one can reverse that password string.

不......至少不是微不足道的.虽然 MD5 有针对它的攻击，但它是一种散列算法，因此不可逆转.您将不得不对其进行暴力破解.

No... not trivially at least. Whilst MD5 has attacks against it, it's a hashing algorithm and thus unreversable. You would have to brute-force it.

但同样，中间人攻击者不需要查看您的 MD5.他可以简单地破坏你发送给用户的 JavaScript 来制作 MD5.

But again, a man-in-the-middle attacker doesn't need to look at your MD5s. He can simply sabotage the JavaScript you send the user to make the MD5s.

这篇关于如何在没有 HTTPS 的情况下使用 Javascript 通过 HTTP 安全地发送密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！