安全弹出登录可能吗? [英] Secure popup login possible?
问题描述
我有一个隐藏在每个页面上的登录表单,并在需要时显示自己onClick而不是设置新的页面请求。
I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.
它已被带到我的请注意,为了使登录真正安全,表单操作应指向https页面,但登录表单本身应该在https页面上。
It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.
是否存在一种方法,我可以使弹出登录表单安全,而不会使整个网站https?
Is there a way I can make the pop up login form secure without making the whole site https?
推荐答案
使用AJAX弹出窗口( (<理论上) https:// 在 http:// 页面上显示两个问题:
Using an AJAX pop-up (or an iframe) that goes (in theory) to https:// on an http:// page presents two problems:
- 攻击者可以拦截该页面并用自己的链接替换该链接。
- 这个阻止用户检查它所连接的站点。
第一个问题与这个问题(不是特定于AJAX弹出窗口,而是因为有他通过普通HTTP登录页面,还讨论了Security.SE )。这违反了此OWASP建议:
The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP recommendation:
登录页面和所有后续经过身份验证的页面必须是通过TLS独占访问的
。初始登录页面(称为
登录登录页面)必须通过TLS提供。未能使用
TLS登录登录页面允许攻击者修改登录
表单操作,导致用户的凭据被发布到
任意位置。
The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.
基本上,MITM可以修改您用来服务该登录框的页面以用它们自己替换它:用户将无法注意到差异(至少直到为时已晚。)
Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).
第二个问题是看到你已连接(并且还要连接到下一步)实际上是一件好事您想要在地址栏中的网站。任何人都可以拥有有效的 https:// 网站: mybank.example.com 和攻击者.example.com 都可以拥有受信任机构颁发的有效证书。
如果我连接到我的银行,我想知道我的银行是通过HTTPS连接的。从弹出窗口或iframe向 https:// 网站发送凭据会隐藏真实的目标网站。
The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https:// site: mybank.example.com and attackers.example.com could both have a valid certificate issued by a trusted authority.
If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https:// site from a popup or an iframe hides the real target website.
这当初始页面通过HTTPS提供时,也会出现问题,遗憾的是, 3- D安全系统(这些人应该知道更好,真的!)。
This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).
简而言之,不要使用iframe或弹出窗口,并提供服务您通过HTTPS提交登录表单的页面。
In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.
这篇关于安全弹出登录可能吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
