dqwh1201 2012-02-25 18:36
浏览 99
已采纳

通过域安全地通过HTTP发送数据

I'm developing an SSO solution where there is one master authentication site and multiple slave sites. I'm at the point where when someone registers on a slave it needs to forward the registration to the master and consequently log the user in to the master as well.

There's MANY ways of going about this, currently I'm planning to encrypt the needed registration /login data and redirecting the end-user with this data in a hidden iframe, so that the end-user is not bothered by this process (this will be covered in the sites T&C's). Now it's already using SSL but I want to make this process as secure as possible. Currently I'm encrypting the data send with a key that the master and slaves both hold in their configuration. I'm worried though that someone might be able to crack this as the key is always the same, and am thinking of using a salt along with that key that the master will have to obtain from the slave for each individual query, but this doubles the amount of HTTP queries needed.

I'm simply wondering whether I'm overthinking this, or if I'm being too cautious (after all, SSL alone should theoretically be sufficient).

Any advice? Thanks

  • 写回答

1条回答 默认 最新

  • doufu5747 2012-02-25 19:47
    关注

    In most cases, SSL should be sufficient. If the server's certificate and private key are stored securely, certificate revocation is checked regularly, the private key is not weak (and so on...), the channel between the end user's browser and your server (as well as the one between the master and the slave sites) will be protected from eavesdropping, preventing others from seeing the credentials.

    What SSL does not do is authenticating the "client" side of the connection, that is, anyone knowing the right URLs could connect, authenticate (impersonating a slave site) and obtaining an authentication/login token (if the supplied credentials are correct). This implies that, given a token, your master server would only not be able to discriminate which site is performing "privileged" functions. The credentials themselves would remain protected by SSL, and the attacker would still need to know them to perform the attack. (I have assumed there are no other bugs in the sites themselves, like XSS vulnerabilities or incorrect cookie management).

    That said, you should use a key (or a secret in form of a string) and pass it from the slave sites to the master one only if you need to manage permissions inside this network at a great level of detail (like preventing login on certain sites and allowing it on others based on the user's identity, or temporarily deny logins to certain sites if some of them are not under your direct control and you suspect compromise); if that's the case, I suggest you take a look at the OAuth site, it's a protocol designed exactly for that purpose (you could simply write an API that allows logins and retrieves necessary data from the master server).

    If (and only if) all the sites are under your direct control, using just SSL should be enough; the burden to manage two sets of keys (one for SSL and one for additional encryption) would be too high, and the servers would use too much resources. Only make sure SSL is used between the browsers and the servers as well as for all communication between the servers themselves, to defend against network sniffing.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • 网络安全-php安全知识点
    2020-10-09 17:26
    lady_killer9的博客 安全需要学的东西太多,你不可能把js学的和做前端的同学一样好、把php学的和做后端的一样好,把数据库学的和做数据库优化的同学一样好,把Apache学的和做服务器端的同学一样好,我们只能关注他们涉及的领中不...
  • 内网安全“小迪安全课堂笔记”横向
    2022-05-09 01:24
    小不为霸的博客 内网安全内网安全-环境&工作组&局网探针方案基本认知环境与工作组的区别环境靶机案例 1-基本信息收集操作演示案例 2-网络信息收集操作演示案例 3-用户信息收集操作演示案例 4-凭据信息收集操作演示...
  • php的数据怎样传到html页面,php文件与HTML页面的数据交互
    2021-04-26 19:24
    壮泉四十的博客 注意:首先需要保证本地配置了php开发环境,如WAMP开发环境WAMP配置:https://www.cnblogs.com/shiyiaccn/p/9984579.htmlphp获取HTML页面返回的数组并写入文档HTML发送(使用POST发送)doctype html>无标题文档...
  • 【web安全深度剖析笔记】HTTP协议解析
    2022-01-12 11:53
    方聚的博客 http是超文本传输协议,消息是明文传输,https则是具有安全性的ssl加密传输协议 httphttps使用的是完全不同的链接方式,用的端口也不一样,HTTP是80,https是443 HTTP的链接很简单,是无状态的;https协议是由ssl+...
  • php 进程通信系列 (五)socket unix套接字
    2022-10-03 23:37
    大雷编程的博客 现实世界中两个人进行信息...同理,在计算机中也有类似的概念:在 Unix 中,一次通信由两个端点组成,例如 HTTP 服务端和 HTTP 客户端。端点之间想要通信,必须借助某些工具,Unix 中端点之间使用 Socket 来进行通信。
  • 史上最全网络安全面试题+答案
    2023-05-30 20:10
    狮子座的猿猴的博客 文件包含漏洞是一种导致服务器上的文件被非法访问的安全漏洞,这种漏洞通常是由不当的 Web 编程实现引起的,允许攻击者从外部文件中读取服务器上的数据。要防止跨站请求伪造攻击,可以采取一些防御措施,比如在每个...
  • PHP 基础
    2020-12-24 10:03
    笨小孩@GF 知行合一的博客 PHP原始为Personal Home Page的缩写,已经正式更名为 "PHP: Hypertext Preprocessor"。自20世纪90年代国内互联网开始发展到现在,互联网信息几乎覆盖了我们日常活动所有知识范畴,并逐渐成为我们生活、学习、工作中...
  • PHP系列」PHP Cookie/Session详解
    2024-04-23 00:45
    ·零落·的博客 每个客户端(用户)在访问服务器时都会被分配一个唯一的会话ID,该ID通常通过Cookie发送到客户端,并在后续的请求中返回给服务器,以便服务器能够识别并恢复该用户的会话数据。在PHP中,Cookie是一种用于在浏览器和...
  • PHP获取表单数据的方法有几种,php获取表单数据的两种方法说明
    2021-03-23 17:44
    帅小伙-路飞的博客 原标题:php获取表单数据的两种方法说明获取表单数据是表单应用中最基本的操作,表单数据的传递方法有两种,即POST()方法和GET()方法,下面...POST()方法可以没有限制地传递数据到服务器, 所有提交的信息在后台传...
  • PHP实现提交表单发送邮件
    2017-07-10 18:03
    zh_rey的博客 利用phpmailer实现提交表单时的邮件发送,里面包含demo,并有Google邮件发送失败的解决办法。并对基本设置进行了详细的注释。
  • 没有解决我的问题, 去提问