从 HttpClient 更改为 Webclient,以纯文本形式发送密码
[英]Changing from HttpClient to Webclient, sending password as plain text
问题描述
I have an async method that uses HttpClient:
我有一个使用 HttpClient 的异步方法:
private static HttpClient client = new HttpClient(); //As pointed by @maccettura
private async Task<string> GetResult(Uri url, string user, string pass)
{
var PassArray = new UTF8Encoding().GetBytes(user + ":" + pass);
client.BaseAddress = url;
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(_passArray));
string result;
using (HttpResponseMessage response = await client.GetAsync(url))
using (HttpContent content = response.Content)
{
result = await content.ReadAsStringAsync();
}
return result;
}
That I had to change to synchronous WebClient我必须更改为同步 WebClient
private string GetResult(Uri url, string user, string pass)
{
using (var client = new WebClient())
{
client.UseDefaultCredentials = true;
client.Credentials = new NetworkCredential(user, pass);
using (var stream = client.OpenRead(url))
using (var streamReader = new StreamReader(stream, Encoding.UTF8, true))
{
return streamReader.ReadToEnd();
}
}
}
Am I compromising security by sending plain username and password?我是否通过发送简单的用户名和密码来损害安全性? If so, is there a way to increase the security?如果是这样,有没有办法提高安全性? (the url is a Https address) (url是一个Https地址)
2 个解决方案
解决方案1
1 2017-10-09 20:12:01
In both cases you send credentials in "plain text".在这两种情况下,您都以“纯文本”形式发送凭据。 In both cases they are converted to base-64 before sending, but that does not make it any more secure.在这两种情况下,它们在发送之前都被转换为 base-64,但这并没有使它更安全。 The only difference is that in second (WebClient) case web client will first make request without credentials.唯一的区别是在第二种(WebClient)情况下,Web 客户端将首先发出没有凭据的请求。 Then it will get 401 Unauthorized response and after that it will make second request with the exact same Authorization Basic <base64_here> header, so it's kind of less efficient than applying that header right away.然后它将获得 401 Unauthorized 响应,之后它将使用完全相同的Authorization Basic <base64_here>标Authorization Basic <base64_here>出第二个请求,因此它比立即应用该标头效率低一些。 But again both cases send exactly the same Authorization header.但同样,这两种情况都发送完全相同的 Authorization 标头。 As already said - if you make request to https endpoint, your credentials should be safe against interception by third party, no need to implement your own encryption if you are already using encrypted channel.如前所述 - 如果您向 https 端点发出请求,您的凭据应该是安全的,不会被第三方拦截,如果您已经在使用加密通道,则无需实施自己的加密。
解决方案2
0 2017-10-09 20:02:42
Yes you are compromising by sending plain text username and password.是的,您通过发送纯文本用户名和密码来妥协。 There can be network sniffers that can pick up the packages you send accross http and read them.可以有网络嗅探器,可以拾取您通过 http 发送的包并读取它们。 If user name and passwords are plain then uh-oh.如果用户名和密码是简单的,那么 uh-oh。 Sniffers usually sniff in public places like libraries and coffee shops.嗅探器通常在图书馆和咖啡店等公共场所嗅探。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.