是通过HTTPS发送JSON密码被认为是安全的吗？ [英] is sending a password in JSON over HTTPS considered secure?

问题描述

如果我通过HTTPS在JSON中发送密码来执行身份验证是否安全？有没有更好的方法呢？

一般情况下，将用户名和密码发送到服务器以执行身份验证的最佳方法是什么？

解决方案

一般来说，是的，这对于被动网络窃听者是安全的，这是在这种架构中关注的主要威胁。 / p>

如果您不想在（HTTPS加密）请求中发送密码，则可以让服务器向客户端发送唯一的质询字符串。客户端将该字符串与密码的组合哈希，然后将哈希值发送到服务器。这向服务器证明客户端具有密码而不实际发送它。例如，Yahoo的登录表单就像这样工作。

If I send password in JSON over HTTPS to perform authentication is it secure? Is there a better way to do it?

In general what is the best way to send a username and password over to a server to perform authentication?

解决方案

Generally speaking, yes, this is safe against a passive network eavesdropper, which is the primary threat one is concerned about in this sort of architecture.

If you'd prefer not to send the password in the (HTTPS-encrypted) request, you can have the server send a unique challenge string to the client. The client hashes the combination of that string with the password and then sends the hash to the server. This proves to the server that the client has the password without actually sending it. Yahoo's Login form used to work like this, for instance.

这篇关于是通过HTTPS发送JSON密码被认为是安全的吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！