必须登录为https页面 [英] Must logins be a https page

问题描述

一些安全专家过去曾说过登录页面应该是ssl https。那么如果我的登录是一个显示在所有页面上的块，那该怎么办呢？这是否意味着我的整个网站都必须是https？

Several security experts have said in the past that the login page should be on ssl https. So what if my login is a block that's displayed on all pages. Does that mean that my entire website has to be https?

我读过它可以将表单放在http上但发布到https，但我读到有人说它可以被中间人攻击中的人利用。有人可以证实吗？对于能够证实这一点的人，我有100分的赏金（并帮助我找到如何安全地解决这个问题的实际答案）。我的登录表单在每个页面上，我是否需要在https上创建整个网站？请随意质疑我在这里说的任何内容。它们只是我读过的但没有经验并且没有亲自尝试过。

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this? I have a 100 point bounty for someone who can confirm this (and help me with a practical answer how to securely solve this). My login form is on every page, do I need to make the whole website on https? Please feel free to question anything I said here. They're only things I read but don't have experience with and didn't try it myself.

编辑：给那些问过的人当我发布问题时，我尝试设置赏金，但系统不会让我。我查看了常见问题解答，发现可以在发布问题2天后发布赏金。这就是为什么你还没有看到赏金的原因。但是，在我在2天内设定赏金之前，我不会选择答案。对不起任何困惑。

to those who asked, when I was posting the question, I tried setting the bounty but the system wouldn't let me. I checked the FAQ and saw that bounty can be posted after 2 days from posting the question. That's why you see no bounty yet. But I will not select an answer until I set a bounty in 2 days. Sorry for any confusion.

推荐答案

我读过它可以将表格放在http上但发布到https，但是我读某人说它可以被中间人攻击中的人利用。有人可以确认吗？

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this?

是的。表单通过HTTP提供，因此中间的人可以向其注入更改（例如，因此它在表单提交之前将凭据发送到他们自己的服务器）。

Yes. The form is served up over HTTP, so a man in the middle could inject changes to it (e.g. so it sends credentials to their own server before the form submits).

如何安全地解决这个问题的实用答案

a practical answer how to securely solve this

如果安全真的很重要 - 请在整个网站上使用HTTPS。即使密码已经发送，如果你回到HTTP，那么cookie也可能被盗（参见 Firesheep ）

If security really matters — use HTTPS for the entire site. Even after the password has been sent, if you go back to HTTP then the cookie can be stolen (see Firesheep)

如果安全性无关紧要，那么请不要在每个页面上放置登录表单。只需要一个指向登录页面的链接。

If security doesn't matter that much, then don't put the login form on every page. Just have a link to a login page instead.

这篇关于必须登录为https页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！