安全上的考虑使用通过HTTPS GET请求有效发送密码? [英] Are security concerns sending a password using a GET request over https valid?
问题描述
我们有一个使用网页上的 sapui5 - 框架来构建一个温泉。浏览器和服务器之间的通信使用 HTTPS 。登录到网页的交互是如下:
We have webpage which uses the sapui5-framework to build a spa. The communication between the browser and the server uses https. The interaction to log into the page is the following:
- 用户通过在浏览器中输入
https://myserver.com打开网站 - 与unsername和口令在两个表单字段的登录对话框显示。
- 进入后
用户名和密码和pressing的登录按钮 - 一个Ajax请求发送使用
GET来的网址:https://开头名为myusername:myPassword@myserver.com/foo/bar/元数据
- The user opens the website by entering
https://myserver.comin the browser - A login dialogue with two form fields for unsername and password is shown.
- After entering
usernameandpasswordand pressing thelogin-button - an ajax-request is send using
GETto the URL:https://myusername:myPassword@myserver.com/foo/bar/metadata
根据使用GET发送的敏感数据从来都不是一个好主意,我的理解。但这个答案是HTTPS URL字符串安全说以下
According to my understanding using GET to send sensitive data is never a good idea. But this answer to HTTPS is the url string secure says the following
HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
man-in-the-middle attacks in the same way that any HTTPS data is.
这是在同一个线程另一个答案:
An in another answer in the same thread:
These fields [for example form field, query strings] are stripped off
of the URL when creating the routing information in the https packaging
process by the browser and are included in the encrypted data block.
The page data (form, text, and query string) are passed in the
encrypted block after the encryption methods are determined and the
handshake completes.
但似乎仍有可能利用的安全问题 GET :
- URL被存储在服务器并在同一线程 上的日志
- 通过浏览器的历史记录 泄漏
- the URL is stored in the logs on the server and in the same thread
- leakage through browser history
这是对什么样的?
https://myusername:myPassword@myserver.com/foo/bar/metadata
// or
https://myserver.com/?user=myUsername&pass=MyPasswort
在此主题的其他问题:
-
- 是<一个href=\"http://stackoverflow.com/questions/18245096/is-sending-a-password-in-json-over-https-considered-secure\">sending考虑通过HTTPS JSON密码安全
- 如何安全地发送通过GET / POST口令?
- Is passsing get variables over ssl secure
- Is sending a password in json over https considered secure
- How to send securely passwords via GET/POST?
在security.stackexchange额外的信息:
On security.stackexchange are additional informations:
- can urls be sniffed when using ssl
- ssl with get and post
但在笔者看来几个方面仍然没有回答。
But in my opinion a few aspects are still not answered
在我看来提点是有效的异议不使用得到。就是如此;使用GET发送密码的坏主意?
In my opinion the mentioned points are valid objections to not use get. Is the the case; is using get for sending passwords a bad idea?
难道这些攻击的选项,还有更多?
Are these the attack options, are there more?
- 浏览器历史记录
- 服务器日志(假设URL存储在加密的日志或加密)
- 引用者信息(如果这真的是这样)
这通过HTTPS发送敏感数据(密码)在使用得到什么?确实存在攻击选项
Which attack options do exist when sending sensitive data (password) over https using get?
感谢
推荐答案
发送任何敏感数据的完胜是危险的,即使是HTTPS。这些数据可能在日志文件中最终在服务器和将被包含在链接到Referer头或从其它侧包括。他们还将保存在浏览器的历史记录,因此攻击者可能会尝试猜测和验证链路的原始内容与对历史的进攻。
Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.
除此之外,你最好问那种问题在security.stackexchange.com。
Apart from that you better ask that kind of questions at security.stackexchange.com.
这篇关于安全上的考虑使用通过HTTPS GET请求有效发送密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
