登录没有HTTPS,如何保护? [英] Login without HTTPS, how to secure?
问题描述
对于Web应用程序,当HTTPS不可用作安全措施时,是否可以使登录有所安全?例如:
For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.:
- 标记登录,重复攻击困难?
- 以某种方式加密发送的密码一个HTML密码字段?
特别是我使用CakePHP和AJAX POST调用来触发身份验证(包括提供的用户名和密码) 。
In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includes provided username and password).
更新问题:
- HTTPS不可用。期。如果您不喜欢这种情况,请考虑一个理论问题。
- 没有明确的要求,您有任何HTTP,PHP和浏览器(Cookie,JavaScript等)提供在现实生活中(没有魔法RSA二进制文件,PGP插件)。
- 问题是,最好的,你可以从这个比发送密码明文。了解每个这样的解决方案的缺点是一个加分。
- 欢迎任何比普通密码更好的改进。我们不打算使用100%l33tG0Dhx0r-proff解决方案。
- HTTPS is not available. Period. If you don't like the the situation, consider it a theoretical question.
- There are no explicit requirements, you have whatever HTTP, PHP and a browser (cookies, JavaScript etc.) offers in real life (no magic RSA binaries, PGP plugins).
- Question is, what is the best, you can make out of this situation, that is better than sending the passwords plaintext. Knowing the drawbacks of each such solutions is a plus.
- Any improvement better than plain passwords is welcome. We do not aim for a 100% l33tG0Dhx0r-proff solution. Difficult to crack is better than complicated to hack which is better than a trivial sniffing revealing the password.
推荐答案
很难破解比复杂的更好,比琐碎的嗅闻更好。
在维护网站和浏览器之间的安全连接时,HTTPS是非常重要的。 rel =noreferrer(相对于 >公共WiFi网络使用户处于危险之中,如果使用正确, HTTPS是唯一可以保护用户帐户的工具此漏洞。
HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. Public wifi networks put users at risk, and when used correctly, HTTPS is the only tool that can protect user accounts from this vulnerability.
如果您的主机不支持HTTPS,那么像 Cloudflare通用SSL 可用于确保所有浏览器使用HTTPS连接到您的站点,即使您的服务器不支持SSL / TLS 。 Cloudflare和您的网站之间的连接仍然是无保护的,但是这种Cloudflare服务旨在保护用户免受公共WiFi网络上的威胁。从渗透测试员的角度来看,不提供HTTPS是非常可疑的,如果您没有提供基本的安全要求来提供流量,那么您缺少什么其他安全性要求?可以使用我们加密或启动SSL ,没有合法的理由不支持HTTPS。
If your host doesn't support HTTPS then a service like Cloudflare Universal SSL can be used to ensure all browsers connect to your site using HTTPS, even if your server doesn't support SSL/TLS. The connection between Cloudflare and your website will still be unprotected, but this Cloudflare service is intended to protect users against threats found on public wifi networks. From the perspective of a penetration tester, not providing HTTPS is highly suspect, if you aren't providing a basic security requirement as delivering traffic, then what other security requirements are you missing? HTTPS certificates can be obtained for free using Let's Encrypt or Start SSL, there is no legitimate reason not to support HTTPS.
HTTPS至关重要,因为它不仅仅是加密密码。另一个重要的作用是,它应该阻止用户将恶意服务器登录到模拟真实服务器。仅使用系统来保护密码仍然违反了 OWASP A9 - 传输层不足保护,因为您仍然会以纯文本形式传送会话凭据,这是所有攻击者的需求( Firesheep ) 。
HTTPS vital because it does lot more than just "encrypt passwords". Another important role is that it should prevent the user from giving logging into a malicious server that is impersonating a real server. Using a system to protect the password alone is still a violation of OWASP A9 - Insufficient Transport Layer Protection because you would still be transmitting session credentials in plain text which is all the attacker needs (Firesheep).
令牌登录:如果攻击者正在嗅探
的流量,他们将有纯文本用户名/密码,然后
他们可以使用这些新的凭据登录。 (重播攻击)
"Tokenize logins": If an attacker is sniffing the traffic, they'll have the plain text username/password and then they can just login with these new credentials. (Replay attack)
以某种方式加密传输的密码:在该人员登录
之后,攻击者可以嗅探流量以获得有效的会话ID
(cookie),然后只需使用它而不是登录。如果
整个会话受到SSL / TLS的保护,那么这不是问题。 >
"Somehow encrypt the transmitted password": After the person has logged in an attacker can sniff the traffic to get the valid session id (cookie) and then just use this instead of logging in. If the entire session was protected with SSL/TLS then this is not a problem.
还有其他更复杂的攻击会影响本系统和我们当前的SSL基础架构。 SSLStrip 攻击更为详细。我强烈建议观看Moxie Marlinspike的Blackhat 2009演讲,导致 HTTP-Strict-Transport-Security标准。
There are other more complex attacks that affect both this system and our current SSL infrastructure. The SSLStrip attack goes into greater detail. I highly recommend watching Moxie Marlinspike's Blackhat 2009 talk, which lead to the HTTP-Strict-Transport-Security standard.
这篇关于登录没有HTTPS,如何保护?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
