通过 Post 请求提供的密码加密

发布于 2024-09-09 07:48:19 字数 589 浏览 7 评论 0原文

我一直在学习网络,并使用 LiveHttpHeaders 记录我在 Firefox 中发出的发布请求。有趣的是,当我登录网站时,无论有没有 https,提交的 Post 请求都包含我的纯文本用户名和密码!如果系统管理员保存所有网络请求的日志或者有人正在监听无线网络,这不是很危险吗?我已经在 Gmail 和其他网站上尝试过了。我本以为谷歌的人已经想到了这个问题,所以我是不是忘记了什么?在客户端进行加密来克服这个可能的安全漏洞不是更明智吗?

这是示例发布请求的内容块(出于显而易见的原因,我已将实际用户名和密码替换为 USER 和 PASS)。

ltmpl=default&ltmplcache=2&继续=https%3A%2F%2Fmail.google.com%2Fmail%2F%3F&ser​​vice=mail&rm=false&dsh=8406886653173005655&ltmpl=default&hl=en&ltmpl=默认&scc=1&ss=1&GALX=4EQjnPdWBb0&电子邮件=USER&Passwd=PASS&rmShown=1&signIn=登录+in&asts=

I've been learning about networks and have been logging the post requests I make in firefox using LiveHttpHeaders. What is interesting is that when I log into sites, with or without https, the Post request which gets submitted includes my username and password in plain text! Isn't this dangerous in the case that a system administrator keeps logs of all network requests or if someone is listening on a wireless network? I've tried this on gmail as well as other sites. I would have thought that the people at google already thought of this problem, so am I forgetting something? Wouldn't it be wiser to encrypt on client side as well to overcome this possible security hole?

Here is the content block for a sample post request ( I have replaced my actual username and password with USER and PASS) for obvious reasons.

ltmpl=default<mplcache=2&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3F&service=mail&rm=false&dsh=8406886653173005655<mpl=default&hl=en<mpl=default&scc=1&ss=1&GALX=4EQjnPdWBb0&Email=USER&Passwd=PASS&rmShown=1&signIn=Sign+in&asts=

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

爱本泡沫多脆弱 2024-09-16 07:48:19

这有点题外话,您最好在安全邮件列表或类似的列表上询问。

但我认为您的困惑在于您用来跟踪信息的程序正在解密 SSL 会话(假设有一个)。您询问的内容(“客户端加密”)几乎是由 SSL 完成的。您可能想了解一下主题

This is kind of off-topic, you might be better asking on a security mailing list or similar.

But i think your confusion is that the program you're using to track the information is decrypting the SSL session (assuming there is one). What your asking about ("client side encryption") is pretty much done by SSL. You might want to take a look into the subject.

伪心 2024-09-16 07:48:19

当您通过 SSL 安全连接提交信息时,只有了解与您通信的服务器的私钥的一方才能读取您提交的数据。

因此,虽然对您来说您的用户名和密码显示为纯文本,但这是因为您在加密之前嗅探它们。

如果您想了解 SSL 连接的实际情况,请在客户端和服务器之间放置一个数据包转储程序。不在任何一台机器上运行。这样的数据包转储器将看到加密的、不可读的数据流。

When you submit information over an SSL-secured connection, only a party privy to the private key for the server with which you are communicating can read the data you submit.

So, although to you your username and password appear plain-text, this is because you are sniffing them before they are encrypted.

If you want to see what an SSL connection really looks like, put a packet dumper in between the client and server. Not running on either machine. Such a packet dumper will see a stream of encrypted, unreadable data.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文