登录没有HTTPS，如何安全？ [英] Login without HTTPS, how to secure?

问题描述

对于Web应用程序，当HTTPS不可用作安全措施时，仍然可以使登录有点安全吗？例如：

For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.:

• 令登入重新登入，难以重复攻击？


• 一个HTML密码字段？

特别是我使用CakePHP和AJAX POST调用来触发认证（包括提供的用户名和密码）

In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includes provided username and password).

更新问题：

• HTTPS不可用。期。


• 没有明确的要求，你有什么HTTP，PHP和浏览器（cookies，JavaScript等）提供在现实生活中（没有魔法的RSA二进制文件，PGP插件）。


• 问题是，什么是最好的，你可以使比发送密码明文。了解每个此类解决方案的缺点是一个加号。


• 欢迎任何比纯文本密码更好的改进。我们不打算100％l33tG0Dhx0r-proff解决方案。难以破解优于复杂的破解，这比琐碎嗅探显示密码更好。

• HTTPS is not available. Period. If you don't like the the situation, consider it a theoretical question.
• There are no explicit requirements, you have whatever HTTP, PHP and a browser (cookies, JavaScript etc.) offers in real life (no magic RSA binaries, PGP plugins).
• Question is, what is the best, you can make out of this situation, that is better than sending the passwords plaintext. Knowing the drawbacks of each such solutions is a plus.
• Any improvement better than plain passwords is welcome. We do not aim for a 100% l33tG0Dhx0r-proff solution. Difficult to crack is better than complicated to hack which is better than a trivial sniffing revealing the password.

推荐答案

HTTPS在维护网站和浏览器之间的安全连接方面绝对至关重要。 公共WiFi网络将用户置于危险中，并且在正确使用后， HTTPS是唯一可以保护用户帐户的工具 此漏洞。

HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. Public wifi networks put users at risk, and when used correctly, HTTPS is the only tool that can protect user accounts from this vulnerability.

如果您的主机不支持HTTPS，那么像 Cloudflare通用SSL 可用于确保所有浏览器都使用HTTPS连接到您的网站，即使您的服务器不支持SSL / TLS 。 Cloudflare与您的网站之间的连接仍然不受保护，但此Cloudflare服务旨在保护用户免受在公共WiFi网络上发现的威胁。从渗透测试程序的角度来看，不提供HTTPS是高度可疑的，如果您不提供基本的安全要求作为交付流量，那么您缺少什么其他安全要求？ HTTPS证书可以使用让我们加密或启动SSL ，没有合法原因不支持H​​TTPS。

If your host doesn't support HTTPS then a service like Cloudflare Universal SSL can be used to ensure all browsers connect to your site using HTTPS, even if your server doesn't support SSL/TLS. The connection between Cloudflare and your website will still be unprotected, but this Cloudflare service is intended to protect users against threats found on public wifi networks. From the perspective of a penetration tester, not providing HTTPS is highly suspect, if you aren't providing a basic security requirement as delivering traffic, then what other security requirements are you missing? HTTPS certificates can be obtained for free using Let's Encrypt or Start SSL, there is no legitimate reason not to support HTTPS.

HTTPS至关重要，因为它不仅仅是加密密码。另一个重要的作用是防止用户登录到模拟真实服务器的恶意服务器。使用系统单独保护密码仍然违反 OWASP A9 - 交通不便层保护，因为您仍然会以纯文本传输会话凭据，这是所有攻击者的需要（ Firesheep ）

HTTPS vital because it does lot more than just "encrypt passwords". Another important role is that it should prevent the user from giving logging into a malicious server that is impersonating a real server. Using a system to protect the password alone is still a violation of OWASP A9 - Insufficient Transport Layer Protection because you would still be transmitting session credentials in plain text which is all the attacker needs (Firesheep).

1. 基于JavaScript的加密不能用于构造安全传输层。

令牌登录：如果攻击者嗅探
的流量，他们将有纯文本用户名/密码，然后
他们可以使用这些新的凭据登录。 （重放攻击）

"Tokenize logins": If an attacker is sniffing the traffic, they'll have the plain text username/password and then they can just login with these new credentials. (Replay attack)

以某种方式加密传输的密码：在用户登录
后，攻击者可以嗅闻流量， session id
（cookie），然后使用这个而不是登录。如果
整个会话被SSL / TLS保护，那么这不是问题。

"Somehow encrypt the transmitted password": After the person has logged in an attacker can sniff the traffic to get the valid session id (cookie) and then just use this instead of logging in. If the entire session was protected with SSL/TLS then this is not a problem.

还有其他更复杂的攻击影响这个系统和我们目前的SSL基础设施。 SSLStrip 攻击更详细。我强烈建议您观看Moxie Marlinspike的Blackhat 2009 talk ，这会导致 HTTP-Strict-Transport-Security standard 。

There are other more complex attacks that affect both this system and our current SSL infrastructure. The SSLStrip attack goes into greater detail. I highly recommend watching Moxie Marlinspike's Blackhat 2009 talk, which lead to the HTTP-Strict-Transport-Security standard.

这篇关于登录没有HTTPS，如何安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！