如何从客户端安全地发送密码? [英] How to send password securely from client side?
问题描述
我正在努力使我的 REST API 更加安全.目前,我正在使用 CryptoJs.SHA256 在我的 angular 应用程序中散列我的密码,然后将其发送到我的 C# 后端.但我意识到最好在服务器端散列密码.那么如何发送只能由服务器读取的密码呢?我要添加 SSL,但我知道 HTTPS 也容易破解.还有其他解决方案吗?
I'm trying to make my REST API more secure. For the moment I'm hashing my password in my angular app with CryptoJs.SHA256 before sending it to my C# backend. But I realize it's better to hash password on server side. So how can I send a password only readable by the server? I'm going to add SSL but I know HTTPS is also breakable. Is there an other solution?
谢谢
推荐答案
As Bruce Schneier 说,任何人都可以设计出他自己无法破解的密码.这就是为什么你应该一律不信任业余密码学,以及为什么你应该只使用经得起广泛密码分析的已发布算法."
As Bruce Schneier says, "Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis."
虽然没有什么是 100% 牢不可破的,但破解 HTTPS 比破解 JavaScript 自制的安全方案要困难得多.考虑一下:如果您通过不受信任的(HTTP 或 HTTPS-with-invalid-certificate)连接为您的超级安全 JS 提供服务,是什么阻止攻击者替换损坏的版本,从而绕过所有 JS 安全性?没什么.
While nothing is 100% unbreakable, breaking HTTPS is significantly harder than breaking a homecooked security scheme made in JavaScript. Consider this: if you serve your super-secure JS over an untrusted (HTTP or HTTPS-with-invalid-certificate) connection, what prevents the attacker from substituting a broken version, which will bypass all the JS security? Nothing.
现代浏览器不遗余力地防止 HTTPS 被破坏(使用 HSTS 等);因此,依赖 HTTPS(它可以在正确使用时提供实际的安全性 - 忽略所有那些大的红色错误"是打破它的一种简单方法)比使用 JS-over-HTTP 安全得多(这只会提供一种安全感,而没有实际机会安全).
Modern browsers are going to great lengths to prevent HTTPS from being broken (with HSTS etc.); so it's significantly safer to rely on HTTPS (which can provide actual security when used correctly - "just ignore all those big red errors" is one simple way to break it) than on JS-over-HTTP (which only provides a feeling of security without an actual chance of being secure).
这篇关于如何从客户端安全地发送密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
