php 通过邮政发送的密码安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3353930/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
password sent via post secure?
提问by Prasoon Saurav
Possible Duplicate:
How secure is a HTTP POST?
可能的重复:
HTTP POST 的安全性如何?
Suppose I have a login page in php where a user is required to enter his name and password. form methodis post in this case.
假设我在 php 中有一个登录页面,用户需要在其中输入他的姓名和密码。form method在这种情况下是发布。
Now someone(my friend) told me that the information(username and password) that is entered and sent to the server can be hacked just by fetching the header of the resulting page generated. So you should encrypt the header and that is why HTTPS is used.
现在有人(我的朋友)告诉我,输入并发送到服务器的信息(用户名和密码)可以通过获取生成的结果页面的标题来破解。因此,您应该加密标头,这就是使用 HTTPS 的原因。
This didn't make sense to me because I thought the information (username and password) sent via postmethod are completely secure and just by header hacking one cannot have access to to the username and password.
这对我来说没有意义,因为我认为通过post方法发送的信息(用户名和密码)是完全安全的,仅通过标题黑客攻击就无法访问用户名和密码。
Is my friend correct? If no is there any way to do such stuff for someone who has no access to the code? How can I send my private information via HTTPS (page to be coded in php)?
我朋友说的对吗?如果没有,有没有办法为无法访问代码的人做这样的事情?如何通过 HTTPS 发送我的私人信息(用 php 编码的页面)?
EDIT:
编辑:
Data through getmethod is sent via header. Right? Is data through postalso sent via header?
数据通过get方法通过标头发送。对?数据是否post也通过标头发送?
回答by Daniel Vandersluis
Without SSL, data sent through POSTis equivalent to data sent through GET, or in other words, not encrypted at all.
如果没有 SSL,通过 发送的POST数据等同于通过 发送的数据GET,或者换句话说,根本没有加密。
回答by Piskvor left the building
Your password is notsecure if you just send it with POST - still visible and unencrypted, albeit a tiny bit less obvious.
如果您只是通过 POST 发送密码,那么您的密码是不安全的 - 仍然可见且未加密,尽管不那么明显。
Sending an unencrypted password via POST is the most insecure, yet still relatively sane way of doing this. (yes, there are less secure ways, but those are completely insane - sending a password form through GET is about as secure as broadcasting it on TV or printing it in the newspaper).
通过 POST 发送未加密的密码是最不安全但仍然相对理智的方式。(是的,有一些不太安全的方法,但这些方法完全是疯狂的——通过 GET 发送密码表单与在电视上广播或在报纸上打印一样安全)。
This is what a typical GET request looks like:
这是典型的 GET 请求的样子:
GET http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Here's a similar POST request (note that you can send both GET and POST parameters in a POST request):
这是一个类似的 POST 请求(请注意,您可以在 POST 请求中同时发送 GET 和 POST 参数):
POST http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Content-Length: 40
with_POST&=the&content=is&here_in=the&request=body
As you can see, HTTP is a completely plaintext protocol - there is no encryption performed on the data, so anyone can view and/or modify it in transit. Access to the code is not necessary at all - just watch the traffic and your data will be there, for anyone to see (you can verify this with tools such as Wireshark which allows you to view network traffic).
如您所见,HTTP 是一个完全明文的协议——没有对数据进行加密,因此任何人都可以在传输过程中查看和/或修改它。根本不需要访问代码——只需观察流量,您的数据就会在那里,任何人都可以看到(您可以使用诸如 Wireshark 之类的工具来验证这一点,它允许您查看网络流量)。
To remove this need to trust the whole world, HTTPS (S is for Secure) was created, which provides encryption ("only the sender and receiver can read it") and authentication ("the server is indeed yourserver.example.com, and not evilserver.example.net").
为了消除这种信任全世界的需求,创建了 HTTPS(S 代表 Secure),它提供加密(“只有发送方和接收方可以读取”)和身份验证(“服务器确实是 yourserver.example.com,并且不是 evilserver.example.net”)。
HTTPS is a wrapper around HTTP: where with HTTP, the client connects to the webserver and starts the conversation, HTTPS first establishes a secure SSL tunnel, and the HTTP communication goes through that. Setting up a HTTPS server is a bit more complex than HTTP, see e.g. this article.
HTTPS 是对 HTTP 的封装:使用 HTTP,客户端连接到 Web 服务器并开始对话,HTTPS 首先建立一个安全的 SSL 隧道,然后 HTTP 通信通过它。设置 HTTPS 服务器比 HTTP 复杂一些,例如参见这篇文章。
回答by User123
you can read the submitted data with Wireshark - http://de.wikipedia.org/wiki/Wiresharkif you sent the form data without https.
如果您发送没有 https 的表单数据,您可以使用 Wireshark 读取提交的数据 - http://de.wikipedia.org/wiki/Wireshark。
回答by leonbloy
I thought the information (username and password) sent via post method are completely secure
我认为通过邮寄方式发送的信息(用户名和密码)是完全安全的
Wrong. Data sent via POST is practically as unsecure as sent via GET. The only (marginal) difference is that GET data is slightly more "accesible", via urls histories and perhaps logs. But if someone can sniff the link, he can spy very easily user and passwords sent via a http request, (POST or GET) unless SSL (https://) is used.
错误的。通过 POST 发送的数据实际上与通过 GET 发送的数据一样不安全。唯一的(边际)区别是 GET 数据稍微更“可访问”,通过 url 历史记录和日志。但是如果有人可以嗅探链接,他就可以很容易地窥探通过 http 请求(POST 或 GET)发送的用户和密码,除非使用 SSL (https://)。
回答by Andy Evans
From Wikipedia
来自维基百科
HTTP is unsecured and is subject to man-in-the-middle and eavesdropping attacks which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks.
HTTP 是不安全的,容易受到中间人和窃听攻击,这可以让攻击者访问网站帐户和敏感信息。HTTPS 旨在抵御此类攻击,并被认为可以安全抵御此类攻击。
If you're concerned about someone intercepting your data, use HTTPS.
如果您担心有人拦截您的数据,请使用 HTTPS。
回答by Dylan West
I believe the php script that submits the form, and the form itself needs to be in a directory on the webserver that is set up with SSL. You have to have an SSL certificate enabled for that website, as well.
我相信提交表单的 php 脚本和表单本身需要位于使用 SSL 设置的网络服务器上的目录中。您还必须为该网站启用 SSL 证书。
