SSL和JWT之间的区别 [英] Difference between SSL and JWT

问题描述

我一直在阅读并试图理解浏览器端安全性的差异.据我了解，SSL用于阻止人们嗅探您发送到服务器的流量.这使您可以将密码以明文形式发送到服务器...对吗?只要您处于SSL加密的会话中，就不必担心首先对密码进行哈希处理或任何奇怪的事情，只需将其与用户名一起直接发送到服务器即可.在用户认证之后，您将它们发送回JWT，然后，假设他们正尝试访问安全区域，则以后向服务器发出的所有请求都应包括此JWT.这使服务器甚至不必检查密码，服务器所做的只是验证签名，而这正是服务器所关心的.只要签名被验证，您就可以向客户端提供他们所请求的任何信息.我错过了什么吗?

I've been reading and trying to comprehend the differences in browser side security. From what I gather, SSL is used to keep people from sniffing the traffic you send to the server. This allows you to send a password to a server in clear text...right? As long as you are in an SSL encrypted session you don't have to worry about hashing the password first or anything weird, just send it straight to the server along with the username. After the user authenticates you send them back a JWT and then all future requests to the server should include this JWT assuming they are trying to access a secured area. This allows the server to not even have to check the password, all the server does is verify the signature and that's all the server cares about. As long as the signature is verified you give the client whatever info they are requesting. Have I missed something?

推荐答案

您是正确的. 这使服务器甚至不必检查密码."为什么要在每次请求时都要检查密码?

You are correct. "This allows the server not to even have to check the password." Why would you have to check a password on each request?

JWT是验证身份验证的一种方法.它是在成功的身份验证请求后生成的，因此随每个请求一起传递，以使服务器知道此用户已被身份验证.

A JWT is a means of verifying authentication. It is generated upon a successful authentication request and hence forth passed with each request to let the server know this user is authenticated.

它可以用于存储任意值，例如user_id或api_key，但是它们不是很安全，因此不要在此处存储任何有价值的信息.

It can be used to store arbitrary values such as user_id or api_key but they are not very secure so don't store any valuable information here.

但是请注意，如果普通的JWT被第三方拦截，它可以假定此用户的会话和可能的数据.

Be wary though, if a plain JWT is intercepted by a third party, it can assume this user's session and possible data.

SSL是一种较低级别的安全性，它对往返于服务器的每个请求进行加密，以防止拦截并保持完整性. 通过(购买)SSL证书并将其安装在服务器上来实现SSL.基本上，SSL证书是一个小的数据文件，它将加密密钥绑定到组织".成功安装后，HTTPS请求(默认在端口443上)是可能的.

SSL is a lower level form of security, encrypting every request from and to the server to prevent interception and retains integrity. SSL is achieved by (purchasing) an SSL certificate and installing it on your server. Basically an SSL certificate is a small data file that binds a cryptographic key to an 'organisation'. Once installed succesfully, HTTPS requests (on port 443 by default) are possible.

这篇关于SSL和JWT之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！