password sent via post secure? [duplicate]
Possible Duplicate:
How secure is a HTTP POST?
Suppose I have a login page in php where a user is required to enter his name and password. form method is post in this case.
Now someone(my friend) told me that the information(username and password) that is entered and sent to the server can be hacked just by fetching the header of the resulting page generated. So you should encrypt the header and that is why HTTPS is used.
This didn't make sense to me because I thought the information (username and password) sent via post method are completely secure and just by header hacking one cannot have access to to the username and password.
Is my friend correct? If no is there any way to do such stuff for someone who has no access to the code? How can I send my private information via HTTPS (page to be coded in php)?
EDIT:
Data through get method is sent via h开发者_如何学Pythoneader. Right? Is data through post also sent via header?
Without SSL, data sent through POST is equivalent to data sent through GET, or in other words, not encrypted at all.
Your password is not secure if you just send it with POST - still visible and unencrypted, albeit a tiny bit less obvious.
Sending an unencrypted password via POST is the most insecure, yet still relatively sane way of doing this. (yes, there are less secure ways, but those are completely insane - sending a password form through GET is about as secure as broadcasting it on TV or printing it in the newspaper).
This is what a typical GET request looks like:
GET http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Here's a similar POST request (note that you can send both GET and POST parameters in a POST request):
POST http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Content-Length: 40
with_POST&=the&content=is&here_in=the&request=body
As you can see, HTTP is a completely plaintext protocol - there is no encryption performed on the data, so anyone can view and/or modify it in transit. Access to the code is not necessary at all - just watch the traffic and your data will be there, for anyone to see (you can verify this with tools such as Wireshark which allows you to view network traffic).
To remove this need to trust the whole world, HTTPS (S is for Secure) was created, which provides encryption ("only the sender and receiver can read it") and authentication ("the server is indeed yourserver.example.com, and not evilserver.example.net").
HTTPS is a wrapper around HTTP: where with HTTP, the client connects to the webserver and starts the conversation, HTTPS first establishes a secure SSL tunnel, and the HTTP communication goes through that. Setting up a HTTPS server is a bit more complex than HTTP, see e.g. this article.
you can read the submitted data with Wireshark - http://de.wikipedia.org/wiki/Wireshark if you sent the form data without https.
I thought the information (username and password) sent via post method are completely secure
Wrong. Data sent via POST is practically as unsecure as sent via GET. The only (marginal) difference is that GET data is slightly more "accesible", via urls histories and perhaps logs. But if someone can sniff the link, he can spy very easily user and passwords sent via a http request, (POST or GET) unless SSL (https://) is used.
From Wikipedia
HTTP is unsecured and is subject to man-in-the-middle and eavesdropping attacks which can let attackers gain access to website accounts and sensitive information. HTTPS is designed to withstand such attacks and is considered secure against such attacks.
If you're concerned about someone intercepting your data, use HTTPS.
I believe the php script that submits the form, and the form itself needs to be in a directory on the webserver that is set up with SSL. You have to have an SSL certificate enabled for that website, as well.
加载中,请稍侯......
精彩评论