使用php和java进行密码加密
[英]Password encryption using php and java
问题描述
I am confuse regarding aspects of password encryption the following scenario. 
我对以下场景中的密码加密方面感到困惑。 While debugging a network response from a Android app using fiddler or wireshark which create a type of proxy server that allows me to see whatever request going from the app to the server. 使用fiddler或wireshark从Android应用程序调试网络响应时,会创建一种代理服务器,允许我查看从应用程序到服务器的任何请求。 In the response in raw format is the password and it is clearly visible in the post request. 在原始格式的响应中是密码,它在post请求中清晰可见。 As on server end by using password_hash and password_verify we are protecting password. 在服务器端使用password_hash和password_verify我们正在保护密码。 But if someone else on network end can view password then encryption at server end is no use. 但如果网络端的其他人可以查看密码,那么服务器端的加密是没有用的。 Is their any way I can send encrypt password from app and it's converted in some other form and after that password _hash function encrypt it. 他们以任何方式我可以从应用程序发送加密密码,并以其他形式转换,然后密码_hash功能加密它。 (even in HTTPS I can see post request) (即使在HTTPS中我也能看到帖子请求)
1 个解决方案
解决方案1
0 2017-01-09 21:20:12
The solution to securing the password in transit with HTTPS is to "pin" the certificate. 使用HTTPS保护密码传输的解决方案是“固定”证书。 Essentially that means to verify that the certificate received on establishment of the connection is to the correct server. 实质上,这意味着验证在建立连接时收到的证书是否是正确的服务器。
MITM and proxy attacks use a certificate that is not a valid certificate for the server and will be refused. MITM和代理攻击使用的证书不是服务器的有效证书,将被拒绝。
See: HTTP Public Key Pinning . 请参阅: HTTP公钥固定 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.