堆栈内存溢出
  简体   繁体   English

通过安全的https连接进行CHAP身份验证真的有用吗?

[英]Is CHAP authentication really useful over a secure https connection?

 原文  2019-08-02 13:17:06       php/ security/ authentication/ chap

问题描述

I have a website that used to work only over http, so since the connection was not secure, I used a CHAP authentication scheme to make logins more secure (even if the passwords were hashed, those hashes would have been sent in the clear otherwise, and could be intercepted to login with them, so using CHAP prevented that). 我有一个网站过去只能通过http工作,因此,由于连接不安全,因此我使用CHAP身份验证方案来使登录更加安全(即使密码是哈希值,否则这些哈希值也将以明文方式发送,并可能被拦截以与他们登录,因此使用CHAP可以防止这种情况)。

Since some time we're using https, so connections are encrypted. 由于一段时间以来我们使用的是https,因此连接已加密。 Isn't it redundant to keep using CHAP or is it still a good idea to keep using this scheme? 继续使用CHAP是否多余,还是继续使用此方案还是个好主意? (even if it makes logins a little more complicated, since you need the first step of getting the "challenge string" before the users send their login details, then concatenating and re-hashing the password string in the client before sending to the server). (即使它使登录更加复杂,因为在用户发送登录详细信息之前,您需要先获取“挑战字符串”,然后在发送给服务器之前,先在客户端中串联并重新散列密码字符串), 。

My question arises because I'm going to develop an API which uses this website's database for the login information, and I don't want to make it more difficult than necessary for users of said API. 之所以引起我的问​​题,是因为我将开发一个API,该API使用该网站的数据库来获取登录信息,并且我不想让该API用户感到不必要的麻烦。

1 个解决方案

解决方案1
 0  2019-08-05 11:47:05

Based on the limited information I had about CHAP I'd say you wouldn't want to use it with HTTPS because: - it's not needed (your data are encrypted anyway) - it makes the authentication workflow more complex - the server needs to store a password in clear text 基于关于CHAP的有限信息,我会说您不想将其与HTTPS一起使用,因为:-不需要(反正您的数据已加密)-使得身份验证工作流程更加复杂-服务器需要存储明文密码

That's said, the Basic authentication scheme certainly isn't perfect and HTTPS only protects you from somebody else seeing the plain-text form of a password. 就是说,基本身份验证方案当然不是完美的,HTTPS仅保护您免受他人看到密码的纯文本格式。 The Basic Authentication scheme still suffers from various issues larger than necessary attack window (password repeatedly sent with every request), caching (Browser and other tools like git) can cache credentials, accidentally exposing username&password combination in URLs stored in configuration, etc. 基本身份验证方案仍然遇到各种问题,这些问题超出了必要的攻击窗口(随每个请求重复发送密码),缓存(浏览器和git等其他工具)可以缓存凭据,在配置中存储的URL中意外暴露用户名和密码组合等。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用php和sql通过https进行安全的用户身份验证 - Secure user authentication over https with php and sql 在HTTPS连接中cookie是安全的吗? - Is a cookie secure in a HTTPS connection? 使用CHAP / MS-CHAP进行Freeradius和外部脚本身份验证 - Freeradius and external script authentication with CHAP / MS-CHAP 如何使用PHP检测安全连接(https)? - How to detect secure connection (https) using PHP? HTTPS未加密? 服务器将无法建立安全连接 - HTTPS is Not Encrypted? Server will not make a secure connection 通过HTTPS连接包含文件 - Including a file over a HTTPS connection php中的异常真的有用吗? - Are exceptions in php really that useful? encodeURIComponent真的很有用吗? - encodeURIComponent is really useful? 通过https://使用GET参数的file_get_contents的安全性如何 - How secure is file_get_contents with GET parameters over https:// 名称空间在框架中真的有用吗? - Are namespaces really all that useful in frameworks?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM