I have a website hosted on a provider which doesn't give me with a fixed ip adress so I cannot use https. I would like to edit some page using a webform but in a secure fashion.
我有一个网站托管在一个提供商,它没有给我一个固定的IP地址,所以我不能使用https。我想使用webform编辑某些页面,但是要安全。
The client would be an iphone type device, so a java or flash applet would be out of the question.
客户端将是一个iphone类型的设备,因此java或flash applet是不可能的。
- Is there a way to still have a secure connection between the server and the browser using only javascript in the browser ?
有没有办法在浏览器中仅使用javascript在服务器和浏览器之间建立安全连接?
The language on the server is currently php but it could be ruby, python , perl or lua.
服务器上的语言目前是php,但它可能是ruby,python,perl或lua。
10 个解决方案
#1
Installing a SSL certificate doesn't technically require a fixed IP address - the SSL certificate is tied to the host name (common name). We have often changed IP addresses on our hosts and never changed anything related to the certificates.
从技术上讲,安装SSL证书不需要固定的IP地址 - SSL证书与主机名(通用名称)相关联。我们经常更改主机上的IP地址,并且从未更改与证书相关的任何内容。
That said, you could indeed use JavaScript or the like, but it's not really a nice solution - it'll always smell like a hack.
也就是说,你确实可以使用JavaScript等,但它并不是一个很好的解决方案 - 它总是闻起来像一个黑客。
#2
You could use some form of public key encryption implemented in javascript:
您可以使用javascript中实现的某种形式的公钥加密:
- You give client side the form, your public key, and a js encryption library
- On submission, js kicks in an encrypts the form payload
- You decrypt with your private key
您向客户端提供表单,公钥和js加密库
提交时,js将加密表单有效负载
您使用私钥解密
The would prevent anyone from sniffing your sensitive info on the wire, but doesn't provide any protection against a man-in-the-middle attack. SSL makes such an attack a little trickier to pull off, but not impossible.
这会阻止任何人在线上嗅探您的敏感信息,但不会提供任何针对中间人攻击的保护。 SSL使这种攻击变得有点棘手,但并非不可能。
#3
Not in the traditional sense, no but there are a few options:
不是传统意义上的,没有,但有几个选择:
-
Get better hosting. You could have a VPS with a fixed IP for $20/month. Certificate for $30 a year. Fairly cheap for people that need the security.
获得更好的托管。您可以拥有固定IP的VPS,每月20美元。每年30美元的证书。对于需要安全性的人来说相当便宜。
-
You could encrypt the form data using javascript and PGP. This is cheap (and it'll look it to your users) but it should keep your data safe enough.
您可以使用javascript和PGP加密表单数据。这很便宜(它会让你的用户看到它),但它应该保证你的数据足够安全。
-
There might be third parties out there that allow for form submission through their servers (and by extension) their certificates. You and your users would have to trust them not to abuse the data though.
可能有第三方允许通过其服务器(以及扩展名)提交表单。您和您的用户必须相信他们不要滥用数据。
#4
In theory you could implement some sort of secure communication between the client and server using Javascript and XmlHttpRequests. In practice it sounds like a lot of work and the chances of it being fast and truely secure seem low.
理论上,您可以使用Javascript和XmlHttpRequests在客户端和服务器之间实现某种安全通信。在实践中,这听起来像很多工作,而且它快速而真实安全的可能性似乎很低。
As Alex says above though, even if you managed to implement in JS, you'd still have to serve the JS to the client over an insecure connection, therefore making it all fairly pointless.
正如亚历克斯上面所说,即使你设法在JS中实现,你仍然必须通过不安全的连接向客户端提供JS,因此使它完全没有意义。
Still, crazier things have been implemented in Javascript before...
尽管如此,在Javascript之前已经实现了更疯狂的事情......
#5
I would say the answer is no. The reason being is that without https, all traffic is unencrypted plain text. Therefore, any encryption algorithm or key exchange on the client side would be readable by anyone. I could be wrong though...I've never tried it.
我会说答案是否定的。原因是没有https,所有流量都是未加密的纯文本。因此,任何人都可以读取客户端上的任何加密算法或密钥交换。我可能错了......我从未尝试过。
#6
It is theoretically possible, provided you can control the client and (for example) have trusted javascript there which is not downloaded from the server. I could elaborate but anything on these lines is a PITA and error prone compared to using https.
理论上是可行的,只要你可以控制客户端(例如)那里有可信赖的javascript,而不是从服务器上下载的。我可以详细说明,但与使用https相比,这些行上的任何内容都是PITA并且容易出错。
Also it should not be necessary to have a fixed IP - do you have a domain name?
此外,没有必要拥有固定的IP - 你有域名吗?
#7
How would it be possible to use Javascript? In order for the browser to execute the javascript, it would have to first download it from the (previously stated) insecure server. HTTPS is a server/client protocol, so if you can't implement with the server itself, you won't be able to implement it at all.
如何使用Javascript?为了使浏览器执行javascript,它必须首先从(先前声明的)不安全的服务器下载它。 HTTPS是服务器/客户端协议,因此如果您无法使用服务器本身,则根本无法实现它。
All you need for HTTPS is a single IP address, so it wouldn't matter if it changed. You should be able to use HTTPS with a dynamic IP, but you might need to talk to your hoster. If your hosting is on a shared server, then it won't work and you'll need a dedicated IP. They aren't that expensive, so maybe you should just shell out the $3/4 a month?
HTTPS所需的只是一个IP地址,因此如果更改则无关紧要。您应该能够将HTTPS与动态IP一起使用,但您可能需要与您的主机进行通信。如果您的主机位于共享服务器上,那么它将无法运行,您将需要专用IP。它们并不贵,所以也许你应该每月支付3美元/ 4美元?
Alex
#8
SSL operates off the domain name, not an IP address. As long as you have and own a domain name, and have a provider willing to open port 443 and install the certificate you purchase for your site, you can do HTTPS.
SSL使用域名而不是IP地址。只要您拥有并拥有域名,并且让提供商愿意打开端口443并安装您为您的站点购买的证书,您就可以执行HTTPS。
That being said, assuming you can't do it, look into SRP:
话虽如此,假设您无法做到,请查看SRP:
From the site:"SRP is a secure password-based authentication and key-exchange protocol. It solves the problem of authenticating clients to servers securely...In addition, SRP exchanges a cryptographically-strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely."
从站点:“SRP是一种安全的基于密码的身份验证和密钥交换协议。它解决了安全地向客户端验证客户端的问题......此外,SRP还将加密密码作为成功身份验证的副产品进行交换,使双方能够安全地沟通。“
They have a Javascript examples. You'd use the byproduct to encrypt the data over the wire.
他们有一个Javascript示例。您可以使用副产品通过网络加密数据。
However, like most posters, you'd probably be better off moving to a new provider.
然而,像大多数海报一样,你搬到新的提供者可能会更好。
#9
It's almost 2 years later, but there's an opensource SSL/TLS implementation in JavaScript now. However, it currently relies on Flash to provide raw socket access... so unless the application is going to run on an android phone rather than an iphone, it might not be all that helpful.
差不多2年了,但现在JavaScript中有一个开源SSL / TLS实现。但是,它目前依赖Flash来提供原始套接字访问...因此,除非应用程序将在Android手机而不是iphone上运行,否则可能没有那么有用。
#10
Yes. You can use an embedded form, using PGP encryption, from Private Forms.
是。您可以使用私有表单中使用PGP加密的嵌入表单。
Private Forms is SaaS that encrypts web form data client-side before sending the data to the server. Then, this encrypted data is sent to the you. All data is encrypted using your PGP public key, which only you can decrypt using your PGP private key.
私有表单是SaaS,它在将数据发送到服务器之前对客户端的Web表单数据进行加密。然后,此加密数据将发送给您。所有数据都使用您的PGP公钥加密,只有您可以使用您的PGP私钥解密。
So, the person filling out the forms knows it's "secure", but they don't need to be familiar with the details (like generating keys, etc).
因此,填写表单的人知道它是“安全的”,但他们不需要熟悉细节(如生成密钥等)。
#1
Installing a SSL certificate doesn't technically require a fixed IP address - the SSL certificate is tied to the host name (common name). We have often changed IP addresses on our hosts and never changed anything related to the certificates.
从技术上讲,安装SSL证书不需要固定的IP地址 - SSL证书与主机名(通用名称)相关联。我们经常更改主机上的IP地址,并且从未更改与证书相关的任何内容。
That said, you could indeed use JavaScript or the like, but it's not really a nice solution - it'll always smell like a hack.
也就是说,你确实可以使用JavaScript等,但它并不是一个很好的解决方案 - 它总是闻起来像一个黑客。
#2
You could use some form of public key encryption implemented in javascript:
您可以使用javascript中实现的某种形式的公钥加密:
- You give client side the form, your public key, and a js encryption library
- On submission, js kicks in an encrypts the form payload
- You decrypt with your private key
您向客户端提供表单,公钥和js加密库
提交时,js将加密表单有效负载
您使用私钥解密
The would prevent anyone from sniffing your sensitive info on the wire, but doesn't provide any protection against a man-in-the-middle attack. SSL makes such an attack a little trickier to pull off, but not impossible.
这会阻止任何人在线上嗅探您的敏感信息,但不会提供任何针对中间人攻击的保护。 SSL使这种攻击变得有点棘手,但并非不可能。
#3
Not in the traditional sense, no but there are a few options:
不是传统意义上的,没有,但有几个选择:
-
Get better hosting. You could have a VPS with a fixed IP for $20/month. Certificate for $30 a year. Fairly cheap for people that need the security.
获得更好的托管。您可以拥有固定IP的VPS,每月20美元。每年30美元的证书。对于需要安全性的人来说相当便宜。
-
You could encrypt the form data using javascript and PGP. This is cheap (and it'll look it to your users) but it should keep your data safe enough.
您可以使用javascript和PGP加密表单数据。这很便宜(它会让你的用户看到它),但它应该保证你的数据足够安全。
-
There might be third parties out there that allow for form submission through their servers (and by extension) their certificates. You and your users would have to trust them not to abuse the data though.
可能有第三方允许通过其服务器(以及扩展名)提交表单。您和您的用户必须相信他们不要滥用数据。
#4
In theory you could implement some sort of secure communication between the client and server using Javascript and XmlHttpRequests. In practice it sounds like a lot of work and the chances of it being fast and truely secure seem low.
理论上,您可以使用Javascript和XmlHttpRequests在客户端和服务器之间实现某种安全通信。在实践中,这听起来像很多工作,而且它快速而真实安全的可能性似乎很低。
As Alex says above though, even if you managed to implement in JS, you'd still have to serve the JS to the client over an insecure connection, therefore making it all fairly pointless.
正如亚历克斯上面所说,即使你设法在JS中实现,你仍然必须通过不安全的连接向客户端提供JS,因此使它完全没有意义。
Still, crazier things have been implemented in Javascript before...
尽管如此,在Javascript之前已经实现了更疯狂的事情......
#5
I would say the answer is no. The reason being is that without https, all traffic is unencrypted plain text. Therefore, any encryption algorithm or key exchange on the client side would be readable by anyone. I could be wrong though...I've never tried it.
我会说答案是否定的。原因是没有https,所有流量都是未加密的纯文本。因此,任何人都可以读取客户端上的任何加密算法或密钥交换。我可能错了......我从未尝试过。
#6
It is theoretically possible, provided you can control the client and (for example) have trusted javascript there which is not downloaded from the server. I could elaborate but anything on these lines is a PITA and error prone compared to using https.
理论上是可行的,只要你可以控制客户端(例如)那里有可信赖的javascript,而不是从服务器上下载的。我可以详细说明,但与使用https相比,这些行上的任何内容都是PITA并且容易出错。
Also it should not be necessary to have a fixed IP - do you have a domain name?
此外,没有必要拥有固定的IP - 你有域名吗?
#7
How would it be possible to use Javascript? In order for the browser to execute the javascript, it would have to first download it from the (previously stated) insecure server. HTTPS is a server/client protocol, so if you can't implement with the server itself, you won't be able to implement it at all.
如何使用Javascript?为了使浏览器执行javascript,它必须首先从(先前声明的)不安全的服务器下载它。 HTTPS是服务器/客户端协议,因此如果您无法使用服务器本身,则根本无法实现它。
All you need for HTTPS is a single IP address, so it wouldn't matter if it changed. You should be able to use HTTPS with a dynamic IP, but you might need to talk to your hoster. If your hosting is on a shared server, then it won't work and you'll need a dedicated IP. They aren't that expensive, so maybe you should just shell out the $3/4 a month?
HTTPS所需的只是一个IP地址,因此如果更改则无关紧要。您应该能够将HTTPS与动态IP一起使用,但您可能需要与您的主机进行通信。如果您的主机位于共享服务器上,那么它将无法运行,您将需要专用IP。它们并不贵,所以也许你应该每月支付3美元/ 4美元?
Alex
#8
SSL operates off the domain name, not an IP address. As long as you have and own a domain name, and have a provider willing to open port 443 and install the certificate you purchase for your site, you can do HTTPS.
SSL使用域名而不是IP地址。只要您拥有并拥有域名,并且让提供商愿意打开端口443并安装您为您的站点购买的证书,您就可以执行HTTPS。
That being said, assuming you can't do it, look into SRP:
话虽如此,假设您无法做到,请查看SRP:
From the site:"SRP is a secure password-based authentication and key-exchange protocol. It solves the problem of authenticating clients to servers securely...In addition, SRP exchanges a cryptographically-strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely."
从站点:“SRP是一种安全的基于密码的身份验证和密钥交换协议。它解决了安全地向客户端验证客户端的问题......此外,SRP还将加密密码作为成功身份验证的副产品进行交换,使双方能够安全地沟通。“
They have a Javascript examples. You'd use the byproduct to encrypt the data over the wire.
他们有一个Javascript示例。您可以使用副产品通过网络加密数据。
However, like most posters, you'd probably be better off moving to a new provider.
然而,像大多数海报一样,你搬到新的提供者可能会更好。
#9
It's almost 2 years later, but there's an opensource SSL/TLS implementation in JavaScript now. However, it currently relies on Flash to provide raw socket access... so unless the application is going to run on an android phone rather than an iphone, it might not be all that helpful.
差不多2年了,但现在JavaScript中有一个开源SSL / TLS实现。但是,它目前依赖Flash来提供原始套接字访问...因此,除非应用程序将在Android手机而不是iphone上运行,否则可能没有那么有用。
#10
Yes. You can use an embedded form, using PGP encryption, from Private Forms.
是。您可以使用私有表单中使用PGP加密的嵌入表单。
Private Forms is SaaS that encrypts web form data client-side before sending the data to the server. Then, this encrypted data is sent to the you. All data is encrypted using your PGP public key, which only you can decrypt using your PGP private key.
私有表单是SaaS,它在将数据发送到服务器之前对客户端的Web表单数据进行加密。然后,此加密数据将发送给您。所有数据都使用您的PGP公钥加密,只有您可以使用您的PGP私钥解密。
So, the person filling out the forms knows it's "secure", but they don't need to be familiar with the details (like generating keys, etc).
因此,填写表单的人知道它是“安全的”,但他们不需要熟悉细节(如生成密钥等)。