堆栈内存溢出
  简体   繁体   English

Chrome扩展程序和服务器之间的安全通信

[英]Secured communication between chrome extension and a server

 原文  2016-06-21 13:40:23       javascript/ google-chrome/ security/ google-chrome-extension

问题描述

I'm building a chrome extension and one of its functionality is to contact my server to store a message on it. 我正在构建chrome扩展程序,其功能之一是联系服务器以在其上存储消息。 Only know users can do it. 只知道用户可以做到。

My issue is that the way I am doing it is not secured. 我的问题是我的操作方式不安全。 I have a database on my server on which I store user name and encrypted password. 我的服务器上有一个数据库,用于存储用户名和加密密码。

To send a message to my server, user must write his password each time, the extension doesn't memorize it. 要将邮件发送到我的服务器,用户每次必须输入密码,该扩展名不会记住该密码。 If I use XMLHttpRequest to contact my server, I have two choice. 如果使用XMLHttpRequest与服务器联系,则有两种选择。 I can send: 我能发送: 

myServerDomain + '?message=' + myMessage + '&user=' + myUserName  + '&password=' + myPassword

And encrypt password on my server to check if it is the good one. 并在我的服务器上加密密码,以检查密码是否正确。

Or I can send: 或者我可以发送: 

myServerDomain + '?message=' + myMessage + '&user=' + myUserName  + '&password=' + myPasswordEncrypted

And directly check on my server if myPasswordEncrypted match with the one saved. 然后直接在我的服务器上检查myPasswordEncrypted是否与保存的匹配。

But for both ways, I only have to access the computer of the user, check the google chrome window go to the console then network requests to obtain myPasswordEncrypted or myPassword and then send my own modified request. 但是对于这两种方式,我只需要访问用户的计算机,检查google chrome窗口转到控制台,然后网络请求获取myPasswordEncrypted或myPassword,然后发送我自己的修改后的请求。

How can I secure it? 我该如何固定?

1 个解决方案

解决方案1
 1 已采纳  2016-06-21 13:57:57

If a password is making it to your server with no encryption, your doing it wrong. 如果密码未经加密就发送到您的服务器,则表示您输入的密码不正确。 The first thing you absolutely must do is make sure that the password is being sent over HTTPS. 您绝对必须做的第一件事是确保密码是通过HTTPS发送的。 After that, you can hash it on the server. 之后,您可以在服务器上对其进行哈希处理。 Hashing it on the client is near pointless, its a ridiculously easy method to circumvent. 将其散布到客户端几乎是没有意义的,这是一种非常容易解决的方法。 See here for more details 看到这里更多细节

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Chrome扩展程序和主题之间的通信? - Communication between Chrome Extension and Theme? Chrome扩展程序中脚本之间的通信 - Communication between scripts in Chrome Extension Chrome扩展程序:iframe与弹出窗口之间的通信 - Chrome Extension: communication between iframe and popup Chrome扩展程序:后台脚本和内容脚本之间的通信 - Chrome extension: communication between background and content scripts 特定网页与chrome扩展之间的通信 - Communication between specific web page and chrome extension 创建的iframe与扩展程序,Google Chrome扩展程序之间的通信 - Communication between created Iframe and extension, google chrome extension Chrome Extension组件通讯 - Chrome Extension component communication Chrome扩展程序:内容脚本和background.html之间的通信 - Chrome extension: Communication between content script and background.html Chrome扩展程序和移动设备之间通过本地网络进行安全的通信 - Secure communication between Chrome extension and mobile over local network 使用Chrome扩展程序的网页与本机应用程序之间的通信错误 - Error in communication between Webpages & native application using Chrome Extension
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM