登录没有HTTPS,如何安全? [英] Login without HTTPS, how to secure?
本文介绍了登录没有HTTPS,如何安全?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
对于Web应用程序,当HTTPS不可用作安全措施时,仍然可以使登录有点安全吗?例如:
For a webapplication, when HTTPS is not available as a security measure, is it possible to still make the login somewhat secure? E.g.:
- 令登入重新登入,难以重复攻击?
- 一个HTML密码字段?
特别是我使用CakePHP和AJAX POST调用来触发认证(包括提供的用户名和密码)
In particular I'm using CakePHP and an AJAX POST call to trigger authentication (includes provided username and password).
更新问题:
- HTTPS不可用。期。
- 没有明确的要求,你有什么HTTP,PHP和浏览器(cookies,JavaScript等)提供在现实生活中(没有魔法的RSA二进制文件,PGP插件)。
- 问题是,什么是最好的,你可以使比发送密码明文。了解每个此类解决方案的缺点是一个加号。
- 欢迎任何比纯文本密码更好的改进。我们不打算100%l33tG0Dhx0r-proff解决方案。难以破解优于复杂的破解,这比琐碎嗅探显示密码更好。
- HTTPS is not available. Period. If you don't like the the situation, consider it a theoretical question.
- There are no explicit requirements, you have whatever HTTP, PHP and a browser (cookies, JavaScript etc.) offers in real life (no magic RSA binaries, PGP plugins).
- Question is, what is the best, you can make out of this situation, that is better than sending the passwords plaintext. Knowing the drawbacks of each such solutions is a plus.
- Any improvement better than plain passwords is welcome. We do not aim for a 100% l33tG0Dhx0r-proff solution. Difficult to crack is better than complicated to hack which is better than a trivial sniffing revealing the password.
推荐答案
HTTPS在维护网站和浏览器之间的安全连接方面绝对至关重要。 公共WiFi网络将用户置于危险中,并且在正确使用后, HTTPS是唯一可以保护用户帐户的工具