我的表单密码是以明文形式传递的吗？ [英] Is my form password being passed in clear text?

问题描述

这是我的浏览器在登录某个网站时发送的内容：

This is what my browser sent, when logging into some site:

POST http://www.some.site/login.php HTTP/1.0
User-Agent: Opera/8.26 (X2000; Linux i686; Z; en)
Host: www.some.site
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.some.site/
Proxy-Connection: close
Content-Length: 123
Content-Type: application/x-www-form-urlencoded

lots_of_stuff=here&e2ad811=my_login_name&e327696=my_password&lots_of_stuff=here

我是否可以声明任何人都可以嗅探该网站的登录名和密码？
也许就在我的局域网上？


如果是这样（即使只在局域网上）那么我很震惊。我想用

Can I state that anyone can sniff my login name and password for that site? Maybe just on my LAN?
If so (even only on LAN ) then I'm shocked. I thought using

<input type="password">

不仅仅是让所有角色看起来像'*'

did something more than make all characters look like ' * '

ps如果重要的话，我玩netcat（在linux上）并建立连接

浏览器< => netcat（这里隐藏）< =>代理< => remote_site

p.s. If it matters I played with netcat (on linux) and made connection
browser <=> netcat (loged here) <=> proxy <=> remote_site

推荐答案

发送到http连接的每个数据都可以通过您路由到服务器的人（中间人攻击）。

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type =password仅隐藏屏幕上的字符，甚至计算机上的其他程序也可以读取数据。

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

唯一保护数据的方法是发送SSL（HTTPS而不是HTTP）

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)

这篇关于我的表单密码是以明文形式传递的吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！