本地消息的安全性？ [英] Security of native messaging?

问题描述

我在网站上有登录数据的NPAPI插件。

我想用 Native Messaging 技术。我已阅读文档，但我有一个问题：这项技术是否安全？

黑客能否捕获从JavaScript传输到本地主机应用程序的数据并返回？

编辑：合并问题：

• stdio 数据传输的安全性如何？


• 这种数据传输是否存在中间人攻击的方式？ li>
  

解决方案

原则上可以检查 stdio 由可执行文件调用。

例如，在Linux系统上，您可以使用 strace 。我不知道一个类似的Windows工具，但它可以想象它存在。

这类似于将调试器附加到浏览器/本机主机本身，并且可以只能由具有相同用户凭证或管理访问权限的人访问本地计算机。特别是，运行Chrome的用户可以做到这一点 - 就像他/她可以使用Dev Tools在JavaScript端检查和拦截数据一样。

所以，是的，原则上可以拦截，但只有某人完全有权在其运行的系统上执行/调试代码，OS注意不允许普通用户以这种方式检查其他用户的进程。

I have a NPAPI plugin for sign-in data on website.

I want to replace it by Native Messaging technology. I have read the documentation, but I have a question : Is this technology safe?

Can hackers catch data in transfer from JavaScript to native host app and back?

Edit: merging in a better-worded question:

• How secure is stdio data transfer ?
• Is there a way for man-in-middle attack for such data transfer ?

解决方案

It is, in principle, possible to inspect stdio calls made by an executable.

For instance, on Linux systems, you can use strace for that purpose. I don't know a similar Windows tool, but it's conceivable that it exists.

That would be akin to attaching a debugger to the browser/native host itself, and can only be done by someone who has access to the local machine with the same user credentials or administrative access. In particular, the user running Chrome can do it - just like he/she can use Dev Tools to inspect and intercept the data at the JavaScript side.

So, yes, in principle that can be intercepted, but only by someone will full rights to execute/debug code on the system it's running on, and OS takes care not to allow normal users to inspect processes of other users in this way.

这篇关于本地消息的安全性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！