如何从客户端安全地发送密码? [英] How to send password securely from client side?
问题描述
我正在尝试使我的REST API更安全.目前,我正在使用CryptoJs.SHA256在我的角度应用程序中对我的密码进行哈希处理,然后再将其发送到C#后端.但是我意识到最好在服务器端对密码进行哈希处理.那么如何发送仅服务器可读的密码?我将添加SSL,但我知道HTTPS也很容易破解.还有其他解决方案吗?
I'm trying to make my REST API more secure. For the moment I'm hashing my password in my angular app with CryptoJs.SHA256 before sending it to my C# backend. But I realize it's better to hash password on server side. So how can I send a password only readable by the server? I'm going to add SSL but I know HTTPS is also breakable. Is there an other solution?
谢谢
推荐答案
As Bruce Schneier says, "Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis."
虽然没有什么是100%不可破坏的,但破坏HTTPS的难度远比破坏用JavaScript制定的自制安全方案的难度大.考虑一下:如果您通过不可信(HTTP或HTTPS-带有无效证书)连接为超级安全JS提供服务,是什么阻止攻击者替换损坏的版本,从而绕过所有JS安全性?没事.
While nothing is 100% unbreakable, breaking HTTPS is significantly harder than breaking a homecooked security scheme made in JavaScript. Consider this: if you serve your super-secure JS over an untrusted (HTTP or HTTPS-with-invalid-certificate) connection, what prevents the attacker from substituting a broken version, which will bypass all the JS security? Nothing.
现代浏览器将竭尽全力防止HTTPS被HSTS等破坏.因此,依靠HTTPS(在正确使用时可以提供实际的安全性 -只要忽略所有那些大的红色错误"是打破它的一种简单方法),它的安全性要比依靠JS-over-HTTP的安全得多(只能提供一种安全感,而没有真正的机会是安全的).
Modern browsers are going to great lengths to prevent HTTPS from being broken (with HSTS etc.); so it's significantly safer to rely on HTTPS (which can provide actual security when used correctly - "just ignore all those big red errors" is one simple way to break it) than on JS-over-HTTP (which only provides a feeling of security without an actual chance of being secure).
https://security.stackexchange.com/questions/3921/为什么要通过客户端进行某些人的仇恨安全性?rq = 1
这篇关于如何从客户端安全地发送密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
