不使用HTTPS登录,如何安全? [英] Login without HTTPS, how to secure?
问题描述
对于 Web 应用程序,当 HTTPS 作为安全措施不可用时,是否仍然可以使登录有些安全?例如:
For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.:
- 对登录进行令牌化,以减少重复攻击?
- 以某种方式加密从 HTML 密码字段发送的密码?
特别是我使用 CakePHP 和 AJAX POST 调用来触发身份验证(包括提供的用户名和密码).
In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includes provided username and password).
问题更新:
- HTTPS 不可用.时期.如果您不喜欢这种情况,请将其视为一个理论问题.
- 没有明确要求,您拥有现实生活中提供的任何 HTTP、PHP 和浏览器(cookie、JavaScript 等)(没有神奇的 RSA 二进制文件、PGP 插件).
- 问题是,什么是最好的,你可以摆脱这种的情况,这比发送密码明文更好.了解每个此类解决方案的缺点是一个加分项.
- 欢迎任何比普通密码更好的改进.我们的目标不是 100% l33tG0Dhx0r-prooff 解决方案.破解难比破解好,破解好过简单的嗅探泄露密码.
- HTTPS is not available. Period. If you don't like the the situation, consider it a theoretical question.
- There are no explicit requirements, you have whatever HTTP, PHP and a browser (cookies, JavaScript etc.) offers in real life (no magic RSA binaries, PGP plugins).
- Question is, what is the best, you can make out of this situation, that is better than sending the passwords plaintext. Knowing the drawbacks of each such solutions is a plus.
- Any improvement better than plain passwords is welcome. We do not aim for a 100% l33tG0Dhx0r-proff solution. Difficult to crack is better than complicated to hack which is better than a trivial sniffing revealing the password.
推荐答案
HTTPS 在维护网站和浏览器之间的安全连接方面绝对重要.公共 wifi 网络使用户处于危险之中,如果使用得当,HTTPS 是唯一可以保护用户帐户免受这个漏洞.
HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. Public wifi networks put users at risk, and when used correctly, HTTPS is the only tool that can protect user accounts from this vulnerability.
如果您的主机不支持 HTTPS,则使用 Cloudflare Universal SSL 之类的服务可用于确保所有浏览器都使用 HTTPS 连接到您的站点,即使您的服务器不支持 SSL/TLS.Cloudflare 和您的网站之间的连接仍然不受保护,但此 Cloudflare 服务旨在保护用户免受公共 wifi 网络上发现的威胁.从渗透测试人员的角度来看,不提供HTTPS是非常值得怀疑的,如果你没有提供基本的安全需求作为传输流量,那么你还缺少什么其他安全需求?可以使用 Let's Encrypt 或 启动 SSL,没有正当理由不支持 HTTPS.
If your host doesn't support HTTPS then a service like Cloudflare Universal SSL can be used to ensure all browsers connect to your site using HTTPS, even if your server doesn't support SSL/TLS. The connection between Cloudflare and your website will still be unprotected, but this Cloudflare service is intended to protect users against threats found on public wifi networks. From the perspective of a penetration tester, not providing HTTPS is highly suspect, if you aren't providing a basic security requirement as delivering traffic, then what other security requirements are you missing? HTTPS certificates can be obtained for free using Let's Encrypt or Start SSL, there is no legitimate reason not to support HTTPS.
HTTPS 至关重要,因为它不仅仅是加密密码".另一个重要作用是它应该防止用户登录到冒充真实服务器的恶意服务器.单独使用系统保护密码仍然违反OWASP A9 - Insufficient Transport Layer保护,因为您仍然会以纯文本形式传输会话凭据,而这正是攻击者所需要的(Firesheep).
HTTPS vital because it does lot more than just "encrypt passwords". Another important role is that it should prevent the user from giving logging into a malicious server that is impersonating a real server. Using a system to protect the password alone is still a violation of OWASP A9 - Insufficient Transport Layer Protection because you would still be transmitting session credentials in plain text which is all the attacker needs (Firesheep).
令牌化登录":如果攻击者正在嗅探流量,他们将拥有纯文本用户名/密码,然后他们只需使用这些新凭据登录即可.(重放攻击)
"Tokenize logins": If an attacker is sniffing the traffic, they'll have the plain text username/password and then they can just login with these new credentials. (Replay attack)
以某种方式加密传输的密码":此人登录后攻击者可以嗅探流量以获取有效的会话 ID(cookie) 然后只使用它而不是登录.如果整个会话都受到 SSL/TLS 保护,那么这不是问题.
"Somehow encrypt the transmitted password": After the person has logged in an attacker can sniff the traffic to get the valid session id (cookie) and then just use this instead of logging in. If the entire session was protected with SSL/TLS then this is not a problem.
还有其他更复杂的攻击会影响这个系统和我们当前的 SSL 基础设施.SSLStrip 攻击更详细.我强烈推荐观看 Moxie Marlinspike 的 Blackhat 2009 演讲,这会导致 HTTP-Strict-Transport-Security 标准.
There are other more complex attacks that affect both this system and our current SSL infrastructure. The SSLStrip attack goes into greater detail. I highly recommend watching Moxie Marlinspike's Blackhat 2009 talk, which lead to the HTTP-Strict-Transport-Security standard.
这篇关于不使用HTTPS登录,如何安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
