POST data encryption - Is HTTPS enough?
Question
Consider a scenario, where user authentication (username and password) is entered by the user in the page's form element, which is then submitted. The POST data is sent via HTTPS to a new page (where the php code will check for the credentials). Now if a hacker sits in the network, and say has access to all the traffic, is the Application layer security (HTTPS) enough in this case ? I mean, would there be adequate URL encryption or is there a need to have Transport Layer security ?
4 answers
solution1
10 ACCPTED 2011-03-15 09:53:43
Yes, everything (including the URL) is going through the encrypted channel. The only thing that the villain would find out is the IP address of the server you are connecting to, and that you are using HTTPS.
Well, if he was monitoring your DNS requests as well, he might also know the domain name of the IP address. But just that, the path, query parameters, and everything else is encrypted.
solution2
2 2011-03-15 09:53:57
Yes. In an HTTPS only the handshake is done unencrypted, but even the HTTP GET/POST query's are done encrypted.
It is however impossible to hide to what server you are connecting, since he can see your packets he can see the IP address to where your packets go. If you want to hide this too you can use a proxy (though the hacker would know that you are sending to a proxy, but not where your packets go afterwards).
solution3
0 2011-03-15 10:18:33
HTTPS is sufficient "if" the client is secure. Otherwise someone can install a custom certificate and play man-in-the-middle.
As a web developer not much can be done other than disallowing HTTP requests. This can be done via mod_rewrite in Apache.
solution4
-1 2011-03-15 09:55:43
是足够的,因为如果它可以访问您的所有流量,无论您使用什么加密协议,他都可以使用中间的人来加密协议。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.