如何在没有HTTPS的情况下使用JavaScript通过HTTP安全地发送密码? [英] How to send password securely via HTTP using Javascript in absence of HTTPS?
问题描述
所有开发者都面临的基本问题:无论何时用户提交表单,密码都是通过网络发送的,并且必须受到保护。我开发的网站没有HTTPS。所有者也不想购买SSL证书,也不希望购买自己的SSL证书。所以我想在提交表单时保护通过HTTP使用JavaScript发送的密码。
渴望downvoters:如何通过HTTP安全地发送密码?不提供任何明智的解决方案,我处于另一种情况。
如果我使用MD5,则可以反转该密码字符串。那么nonce / HMAC呢?任何可用的JavaScript库?或者你有什么建议/暗示来解决?提前致谢!
无法安全地发送密码用户可以验证没有SSL。
当然,您可以编写一些JavaScript,通过哈希或公钥加密为密码传输提供安全密码。但是,用户如何确保JavaScript本身在到达他们之前没有被中间人篡改,将密码发送给攻击者而不是网站,甚至只是危及安全性算法?唯一的办法是让他们成为专业的程序员,并让他们检查你的页面和脚本的每一行,以确保在输入密码之前它是犹太人。这不是一个现实的情况。
如果您想让密码从中间人攻击中安全下来,您必须购买SSL证书。没有其他办法。习惯它。
如果我使用MD5,则可以反转该密码字符串。
没有......至少不平凡。虽然MD5有攻击它,但它是一个哈希算法,因此不可逆转。你必须暴力破解它。
但是,一个中间人攻击者不需要看你的MD5。他可以简单地破坏你发送用户制作MD5的JavaScript。
The very basic issue all developers face: Whenever user submits the form, the password is sent via network and it must be protected. The site I develop for doesn't have HTTPS. Neither does the owner want to buy a SSL certificate, nor is he interested in a self-signed one. So I want to protect the password sent via HTTP using Javascript when submitting form.
To eager downvoters: How to send password securely over HTTP? DOES NOT give any sensible solution and I am in another situation.
If I use MD5, one can reverse that password string. What about nonce/HMAC? Any available Javascript library for that? Or do you have any suggestion/hint to tackle? Thanks in advance!
There is no way to send a password securely that the user can verify without SSL.
Sure, you can write some JavaScript that will make a password secure for over-the-wire transmission through hashing or public-key-encryption. But how can the user be sure that the JavaScript itself has not been tampered with by a man-in-the-middle before it reached them, to send the password to an attacker instead of the site, or even just compromise the security of the algorithm? The only way would be for them to be expert programmers and have them inspect every line of your page and script to ensure it was kosher before typing the password. That is not a realistic scenario.
If you want passwords to be safe from man-in-the-middle attacks, you must buy an SSL cert. There is no other way. Get used to it.
If I use MD5, one can reverse that password string.
No... not trivially at least. Whilst MD5 has attacks against it, it's a hashing algorithm and thus unreversable. You would have to brute-force it.
But again, a man-in-the-middle attacker doesn't need to look at your MD5s. He can simply sabotage the JavaScript you send the user to make the MD5s.
这篇关于如何在没有HTTPS的情况下使用JavaScript通过HTTP安全地发送密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
