登录表单上的ssl? [英] ssl on login form?
问题描述
我的网站上有 SSL....当用户从 http 页面登录时,表单操作会发送到 https 页面,这是否仍能保护已发布的数据?
I have SSL on my website....when the user logs in from a http page the form action is sent to https page, would this still secure the posted data?
或者将表单和页面同时发布到 SSL 会更好吗?
Or would it be better to have the form and the page it is posted to both SSL?
谢谢
推荐答案
对于带有表单的页面和被提交到的页面来说都是绝对必要的HTTPS.除非包含该表单的页面具有 HTTPS,否则您无法保证该表单将提交到 的位置.它实际上可能不会提交到 HTTPS 页面(您是否希望访问者查看源代码)或者某些东西可能插入了一些恶意 javascript 以将表单重定向到其他地方.但是,如果表单也是 HTTPS,那么您就知道它没有被篡改.
It is absolutely necessary for both the page with the form AND the page being submitted to to be HTTPS. Unless the page with the form has HTTPS, you can make no guarantees about where that form is submitting to. It may not actually submit to an HTTPS page (are you expecting your visitors to view the source) or something may have inserted some malicious javascript to redirect the form to somewhere else. However if the form is also HTTPS then you know that it hasn't been tampered with.
安全不仅仅是勾选我有加密",而是一个完整的过程.
Security is more than just ticking a box saying "I have encryption", it's a whole process.
但这是大多数人忘记的重要部分(以及为什么这个问题的唯一正确答案是FROM 和 TO 都必须是 HTTPS):HTTPS(以及一般的 SSL/TLS)不仅仅是加密,那是只是其中的一部分.这是关于信任:
But here's the important part (and why the only correct answer to this question is "both FROM and TO must be HTTPS) that most people forget: HTTPS (and SSL/TLS in general) isn't just encryption, that is only a part of it. It's about TRUST:
- 您知道在哪里将您的数据提交到.这不仅包括服务器主机名,还包括该主机名代表的身份
- 你知道一路上没有任何东西被篡改
- You know where your data is being submitted to. This includes not just the server hostname but also the identity of who that hostname represents
- You know that nothing has been tampered with along the way
如果 FROM 页面上没有 HTTPS,则无法保证上面的 #2(FROM 页面可能被篡改),这意味着无法保证 #1.毕竟,如果您的表单以某种方式被篡改,您怎么知道该表单最终会对您的数据做什么?
Without HTTPS on the FROM page, #2 above can't be guaranteed (the FROM page could be tampered with) which means that #1 can't be guaranteed. After all, if your form were somehow tampered with, how do you know what that form will do with your data in the end?
这篇关于登录表单上的ssl?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
