可以https后备HTTP和HTTPS的安全级别 [英] Can https fallback to http and security level of https
问题描述
我正在考虑安装SSL / TLS为我的域。有迹象表明,已经困扰我两个问题:
-
是否存在这样一种HTTPS连接可以回退到HTTP的情况?因此,对于例如如果我的AJAX看起来像这样
$。员额(https://foo.com功能(){});是否有任何机会,这可能会改变。
$。员额(http://foo.com功能(){});和即使它会我的域名是仍然在入店 http://foo.com ?
-
接下来我对使用SSL / TLS广泛阅读,从我读过它似乎是相当准确的假设,如果我有这个启用,即使我发以纯文本的用户凭据,它仍然是固定(会有盐和一切过程的服务器上加密)。到什么程度,这是真的,并会建立在客户端上的哈希,然后发送它通过HTTPS是任何更安全?
更新:如果发送明文通过SSL足够安全,那么什么是真正使用类似cnonce东西的地步?是不是在客户端上刚刚不必要的开销?
-
没有,从来没有HTTPS回落到HTTP自动。它将由用户采取深思熟虑的行动。如果你只是通过将其网址到地址栏去一个网页,这很容易;表单提交它很难。
-
是,通过SSL发送纯文本是很好。事实上,发送哈希密码并没有真正提高安全性大大可言 - 如果有人设法嗅探连接并获取哈希密码,这是所有他们需要能够登录到该网站。它有一个小的优势:如果用户使用在多个网站使用相同的密码,学习一个网站的哈希密码不会帮助他们进入一个使用不同(或没有)哈希另一个站点。而且它不太可能是可行的送盐渍哈希,因为客户不知道的盐。
一个cnonce增加了一个额外的保护水平。如果,不知何故,有人设法破解SSL加密的cnonce $ P $从它得到一个可用的密码pvents他们。这基本上解决了我上面所做为什么发送哈希密码不利于这一点:在你需要的是什么,从会话切换到会话,并且cnonce提供此
请参阅http://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce
I am considering installing SSL/TLS for my domain. There are two questions that have been bothering me:
Is there any scenario where a https connection can fallback to http? So, for e.g. if my ajax looks something like this
$.post("https://foo.com", function(){ });Is there any chance this could change to
$.post("http://foo.com", function(){ });and even if it does would my domain be still accesible at http://foo.com ?
Next I have read extensively about using SSL/TLS and from what I have read it seems to be fairly accurate to assume that if I have this enabled and even if I send the user credentials in plain text, it's still secure (There would be encryption with salt and everything on the server of course). To what extent is this true and would creating a hash on the client and then sending it over https be any more secure?
Update: If sending plaintext over SSL is secure enough, then what really is the point of using things like cnonce ? Isn't it just unnecessary overhead on the client?
No, HTTPS never falls back to HTTP automatically. It would take deliberate action by the user. If you're just going to a web page by putting its URL into the address bar, this is easy; for form submission it's harder.
Yes, sending plain text over SSL is fine. In fact, sending a hashed password doesn't really increase security much at all -- if someone manages to sniff the connection and gets the hashed password, that's all they need to be able to login to the site. It has one small advantage: if the user uses the same password at multiple sites, learning the hashed password for one site doesn't help them get into another site that uses a different (or no) hash. And it's not likely to be feasible to send salted hashes, since the client doesn't know the salt.
A cnonce adds an extra level of protection. If, somehow, someone manages to crack the SSL encryption, the cnonce prevents them from getting a usable password from it. This basically addresses the point I made above about why sending a hashed password doesn't help: what you need is something that changes from session to session, and a cnonce provides this.
See http://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce
这篇关于可以https后备HTTP和HTTPS的安全级别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
