問題描述

過去有幾位安全專家說過，登錄頁面應該在 ssl https 上.那么如果我的登錄是一個顯示在所有頁面上的塊呢?這是否意味著我的整個網(wǎng)站都必須是 https?

Several security experts have said in the past that the login page should be on ssl https. So what if my login is a block that's displayed on all pages. Does that mean that my entire website has to be https?

我讀到可以將表單放在 http 上，但將其發(fā)布到 https，但我讀到有人說它可以被中間人利用.有人可以證實這一點嗎?對于可以確認這一點的人，我有 100 分的懸賞(并幫助我提供如何安全解決此問題的實用答案).我的登錄表單在每個頁面上，我需要在 https 上創(chuàng)建整個網(wǎng)站嗎?請隨時質(zhì)疑我在這里所說的任何內(nèi)容.它們只是我讀過的東西，但沒有經(jīng)驗，也沒有自己嘗試過.

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this? I have a 100 point bounty for someone who can confirm this (and help me with a practical answer how to securely solve this). My login form is on every page, do I need to make the whole website on https? Please feel free to question anything I said here. They're only things I read but don't have experience with and didn't try it myself.

對于那些提出問題的人，當我發(fā)布問題時，我嘗試設(shè)置賞金，但系統(tǒng)不讓我.我查看了常見問題解答，發(fā)現(xiàn)可以在發(fā)布問題 2 天后發(fā)布賞金.這就是為什么你還沒有看到賞金.但我不會選擇答案，直到我在 2 天內(nèi)設(shè)置賞金.很抱歉有任何混淆.

to those who asked, when I was posting the question, I tried setting the bounty but the system wouldn't let me. I checked the FAQ and saw that bounty can be posted after 2 days from posting the question. That's why you see no bounty yet. But I will not select an answer until I set a bounty in 2 days. Sorry for any confusion.

推薦答案

我讀到可以將表單放在 http 上，但將其發(fā)布到 https，但我讀到有人說它可以被中間人利用.有人可以確認嗎?

I read it's possible to put the form on http but post it to https, but I read someone saying that it can be exploited with a man in the middle attack. Can someone confirm this?

是的.表單通過 HTTP 提供，因此中間人可以向其注入更改(例如，在表單提交之前將憑據(jù)發(fā)送到他們自己的服務器).

Yes. The form is served up over HTTP, so a man in the middle could inject changes to it (e.g. so it sends credentials to their own server before the form submits).

如何安全解決這個問題的實用答案

a practical answer how to securely solve this

如果安全真的很重要 - 對整個網(wǎng)站使用 HTTPS.即使在發(fā)送密碼后，如果您返回 HTTP，則 cookie 可能會被盜(參見 Firesheep)

If security really matters — use HTTPS for the entire site. Even after the password has been sent, if you go back to HTTP then the cookie can be stolen (see Firesheep)

如果安全性不是那么重要，那么不要在每個頁面上都放置登錄表單.只需提供一個指向登錄頁面的鏈接即可.

If security doesn't matter that much, then don't put the login form on every page. Just have a link to a login page instead.

這篇關(guān)于登錄必須是 https 頁面的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！