如果您使用 HTTPS,您的 URL 参数将不会被嗅探吗?
假设我设置了一个简单的 php Web 服务器,其中包含一个可以通过 HTTPS 访问的页面。 该 URL 具有简单的参数,例如 https://www.example.com/test?abc=123。
在这种情况下,这里的参数对于嗅探数据包的人来说真的是安全的吗? 如果服务器不使用任何 SSL 证书,这会是真的吗?
Suppose I setup a simple php web server with a page that can be accessed by HTTPS. The URL has simple parameters, like https://www.example.com/test?abc=123.
Is it true that the parameter here in this case will be safe from people sniffing the packets? And would this be true if the server does not employ any SSL certificate?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
是的,您的 URL 不会被嗅探; 然而,一个很容易被忽视的漏洞是,如果您的页面引用了任何第三方资源,例如 Google Analytics、添加内容等,您的整个 URL 将被发送到引用来源中的第三方。 如果它确实敏感,则它不属于查询字符串。
至于问题的第二部分,如果服务器上没有证书,则无法使用 SSL。
Yes your URL would be safe from sniffing; however, one hole that is easily overlooken is if your page references any third party resources such as Google Analytics, Add Content anything, your entire URL will be sent to the third party in the referer. If its really sensitive it doesn't belong in the query string.
As for your second part of the question, you can't use SSL if you don't have a certificate on the server.
http://answers.google.com/answers/threadview/id/758002.html
http://answers.google.com/answers/threadview/id/758002.html
url:s 将存储在服务器日志和浏览器历史记录中,因此即使它们不可嗅探,它们也远非安全。
The url:s will be stored both in the server logs and in the browser history so even if they aren't sniffable they are far from safe.
在电线上,是的。 在端点(浏览器和服务器)不一定。 SSL/TLS 是传输层安全。 它将加密浏览器和服务器之间的流量。 可以在浏览器端查看数据(例如 BHO)。 一旦它到达服务器端,它当然可供接收者使用,并且只有他对待它的安全性。 如果数据需要安全地超越初始交换并防止客户端窥探,您还应该查看 消息层安全。
On the wire, yes. At the end points (browser and server) not necessarily. SSL/TLS is transport layer security. It will encrypt your traffic between the browser and the server. It is possible on the browser-side to peek at the data (a BHO for example). Once it reaches the server-side, it is available to the recipient of course and is only as secure as he treats it. If the data needs to move securely beyond the initial exchange and protected from prying eyes on the client, you should also look at message layer security.
取决于您所说的安全的含义
SSL 会加密整个 HTTP 请求/响应,因此 GET 部分中的 URL 将被加密。 这并不能阻止 MITM 攻击和 SSL 会话本身完整性的破坏。 如果使用非权威证书,这会使潜在的攻击媒介变得更简单。
REST 请求标头是否通过 SSL 加密?
是一个类似的问题。
depends on what you mean by safe
SSL encrypts the entire HTTP request/response, so the URL in the GET portion will be encrypted. This does not stop MITM attacks and corruption of the integrity of the SSL session itself. If a non-authoritative certificate is used, this makes potential attack vectors simpler.
Are REST request headers encrypted by SSL?
Is a similar question.
请求的 URI (/test?abc=123) 作为 HTTP 请求标头的一部分发送到 Web 服务器,并因此被加密。
然而,URL 可能会通过其他方式泄露,通常是网络浏览器工具栏、书签以及向朋友发送链接。 根据您发送的数据的上下文/敏感性,发布数据可能更合适。
我相信 HTTPS 连接需要 SSL 证书,如果您不想购买的话,甚至需要一个自行生成的证书。
希望有点帮助!
The requested URI (/test?abc=123) is sent to the web server as part of the HTTP request header and thus encrypted.
However URLs can leak in other ways, usually web browser toolbars, bookmarks, and sending links to friends. POSTing data may be more appropriate depending on the context/sensitivity of the data you're sending.
I believe an HTTPS connection requires an SSL certificate, even a self-generated one if you don't want to buy one.
Hope that helps a bit!
SSL/TSL 是一种传输层安全性,是的,可以使用 BHO(如 @JP 所写)或任何附加组件来选取数据,但也可以使用“浏览器外”HTTP 嗅探器来选取数据。 他们读取winsock32 和应用程序之间的消息传递。 加密发生在winsock32 中,而不是在浏览器中。
看一下(这部分摘自IEinspector的页面):
IEInspector HTTP 分析器是一个非常方便的工具,它允许您监视、跟踪、调试和分析 HTTP/实时HTTPS流量。
The SSL/TSL is a Transport Layer Security, yes the data can be picked with BHO (as @JP wrote) or any add on but also with "out of browser" HTTP sniffers. They read messaging between winsock32 and the application. The encryption takes place in the winsock32 not in the browser.
Take a look (this part was taked from the page of IEinspector):
IEInspector HTTP Analyzer is such a handy tool that allows you to monitor, trace, debug and analyze HTTP/HTTPS traffic in real-time.