rubyscas CAS over ssl,site over non-ssl [英] rubycas CAS over ssl, sites over non-ssl
问题描述
我正在尝试确定当我将rubycas本身运行在https上时,我正在查看
的安全风险,但我的实际网站
在http下运行。我面临这个问题的原因是
网站部署在heroku上,这意味着ssl实际上是
昂贵或真的很痛苦。
I'm trying to determine how much of a security risk I'm looking at when I have rubycas itself running over https, but my actual sites running under http. the reason I'm faced with this issue is that the sites are deployed on heroku, which means ssl is either really expensive or really a pain.
除了登录详细信息之外,我还将用户名
(授权)传递给每个站点,然后存储在会话中。
In addition to the login details, i also pass user rolls (authorization) to each site that is then stored in a session.
非常感谢任何输入。
推荐答案
这个问题方法是sessionid(url或cookie)和交换的数据都不加密。因此,从服务器到用户以及从用户到服务器的路上,数据都可以被读取和操纵。
The problem with this approach is that neither the sessionid (url or cookie) nor the exchanged data is encrypted. Therefore the data can be read and manipulated both on the way from the server to the user and on the way from the user to the server.
即使是被动攻击者,只能嗅探流量而又无法操纵它,可能会造成破坏:攻击者可以将sessionid复制到自己的浏览器中。公共无线连接通常使用透明代理,因此攻击者和受害者都具有相同的公共IP地址,这使得应用程序难以区分它们。
Even a passive attacker that can just sniff the traffic without being able to manipulate it, can create damage: The attacker can just copy the sessionid into his or her own browser. Public wireless connections often use a transparent proxy, so both the attacker and the victim have the same public ip-address, which makes it difficult for the application to tell them apart.
有一种名为 Firesheep 的工具会造成这种攻击<强大>非常容易。
There is a tool called Firesheep that makes this kind of attack extremely easy.
这篇关于rubyscas CAS over ssl,site over non-ssl的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!