登录必须是 https 页面 [英] Must logins be a https page
问题描述
过去有几位安全专家说过,登录页面应该在 ssl https 上.那么如果我的登录是一个显示在所有页面上的块呢?这是否意味着我的整个网站都必须是 https?
Several security experts have said in the past that the login page should be on ssl https. So what if my login is a block that's displayed on all pages. Does that mean that my entire website has to be https?
我读到可以将表单放在 http 上,但将其发布到 https,但我读到有人说它可以被中间人利用.有人可以证实这一点吗?对于可以确认这一点的人,我有 100 分的悬赏(并帮助我提供如何安全解决此问题的实用答案).我的登录表单在每个页面上,我需要在 https 上创建整个网站吗?请随时质疑我在这里所说的任何内容.它们只是我读过的东西,但没有经验,也没有自己尝试过.
I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this? I have a 100 point bounty for someone who can confirm this (and help me with a practical answer how to securely solve this). My login form is on every page, do I need to make the whole website on https? Please feel free to question anything I said here. They're only things I read but don't have experience with and didn't try it myself.
对于那些提出问题的人,当我发布问题时,我尝试设置赏金,但系统不让我.我查看了常见问题解答,发现可以在发布问题 2 天后发布赏金.这就是为什么你还没有看到赏金.但我不会选择答案,直到我在 2 天内设置赏金.很抱歉有任何混淆.
to those who asked, when I was posting the question, I tried setting the bounty but the system wouldn't let me. I checked the FAQ and saw that bounty can be posted after 2 days from posting the question. That's why you see no bounty yet. But I will not select an answer until I set a bounty in 2 days. Sorry for any confusion.
推荐答案
我读到可以将表单放在 http 上,但将其发布到 https,但我读到有人说它可以被中间人利用.有人可以确认吗?
I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this?
是的.表单通过 HTTP 提供,因此中间人可以向其注入更改(例如,在表单提交之前将凭据发送到他们自己的服务器).
Yes. The form is served up over HTTP, so a man in the middle could inject changes to it (e.g. so it sends credentials to their own server before the form submits).
如何安全解决这个问题的实用答案
a practical answer how to securely solve this
如果安全真的很重要 - 对整个网站使用 HTTPS.即使在发送密码后,如果您返回 HTTP,则 cookie 可能会被盗(参见 Firesheep)
If security really matters — use HTTPS for the entire site. Even after the password has been sent, if you go back to HTTP then the cookie can be stolen (see Firesheep)
如果安全性不是那么重要,那么不要在每个页面上都放置登录表单.只需提供一个指向登录页面的链接即可.
If security doesn't matter that much, then don't put the login form on every page. Just have a link to a login page instead.
这篇关于登录必须是 https 页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
