仅通过https进行uname / pwd验证 - http中的其他所有内容 [英] Only uname/pwd verification over https - everything else in http

问题描述

对于用户名/密码验证 - 好的网站使用https - 以避免通过网络发送明文密码。如果我有一个我想要这样做的网站 - 即通过https登录。但是 - 登录后其余的东西应该是http。这是否可能 - 如果是的话，为什么我们不会看到太多网站这样做。如果没有，为什么不呢？

For username/pwd verification - the good websites use https - to avoid sending cleartext password over the wire. If I have a site where I want to do this - i.e. login over https. However - after logging in the rest of the stuff should be over http. Is this possible - if yes, why don't we see too many websites doing this. If not, why not?

推荐答案

如果是，我们为什么不看太多网站这样做

if yes, why don't we see too many websites doing this

不使用端到端TLS / SSL的通常理由是它会导致Web应用程序获得性能命中，响应时间慢等。对于https - 有时是安全策略，这是一个非常有缺陷的参数。并非完全没有根据，但仍然没有道理。

The usual excuse for not using end-to-end TLS/SSL is that it causes the web app to take a performance hit, slow response times etc. This is a very flawed argument for https-sometimes security policy. Not entirely unfounded, but still unjustifiable.

如果没有，为什么不呢？

If not, why not?

我们的想法是，用户访问控制唯一固有的易受攻击的方面是身份验证阶段，即您提供用户名和密码以证明您就是您所说的人。组织意识到以明文形式传输凭证的风险。但是，在此过程之后，授权在服务器端执行，Web应用程序信任您从那里开始，并且没有任何凭据可以保护。

The thinking is that the only inherently vulnerable aspect of user access control is the authentication phase, i.e. where you supply your username and password to prove you are who you say you are. Organizations are aware of the risk of transmitting the credentials in clear text. After this process however, authorization is carried out server side and the web app trusts you from there on out and there are no credentials to protect any more.

还是有吗？
正如jszakmeister非常简洁地指出的那样，会话cookie与用户名/密码对一样具有安全性。如果有人掌握了这一点，他们可能会在帖子上看到密码和用户名。

Or are there? As jszakmeister pointed out very succinctly, the session cookie is every bit as security critical as a username/password pair. Should someone get a hold of that, they might as well have seen the password and username on post-it.

这篇关于仅通过https进行uname / pwd验证 - http中的其他所有内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！