If I created an html/jquery widget that was meant to be placed on 3rd party websites (where users are expected to have extremely low technical knowledge and probably lacking an SSL certificate) and used jquery to AJAX Post the information of the widget to a secure url the information posted would be secured properly correct?
如果我创建了一个html / jquery小部件,该小部件旨在放置在第三方网站上(用户需要具有极低的技术知识并且可能缺少SSL证书)并使用jquery将AJT发布到安全的小部件信息url发布的信息是否正确安全?
Edit: Can anyone elaborate on the same origin policy / implications of having a site that has no SSL certificate in regards to it?
编辑:任何人都可以详细说明拥有一个没有SSL证书的网站的原始政策/含义吗?
3 个解决方案
#1
3
The data would be secure in transit, but the page making the request could be intercepted and modified in before reaching the client so the request could be diverted or modified. (Simple case - make two requests instead of one, one to the secure server and one to a hacker's server)
数据在传输过程中是安全的,但是在到达客户端之前,可以拦截和修改发出请求的页面,以便可以转移或修改请求。 (简单的情况 - 发出两个请求而不是一个,一个发送到安全服务器,一个发送到黑客的服务器)
If you want security then you need to have both the page performing data collection/submission and the page processing the data passed over SSL.
如果您需要安全性,那么您需要让页面执行数据收集/提交,页面处理通过SSL传递的数据。
(You would also have to deal with the issue of Same Origin Policy.)
(您还必须处理同源政策问题。)
#2
1
Yes, it will use HTTPS for the Ajax request.
是的,它将使用HTTPS来执行Ajax请求。
However you cannot make an off-site request (same-origin policy), and when your client lacks a proper SSL certificate, I don't see how you would make a secure AJAX request (?).
但是,您无法发出异地请求(同源策略),并且当您的客户端缺少正确的SSL证书时,我看不出您将如何发出安全的AJAX请求(?)。
#3
1
That depends on the definition you want to use for "Secure". Security is subjective, and some people have a more "broad" definition of "secure" than others.
这取决于您要用于“安全”的定义。安全是主观的,有些人对“安全”的定义比其他人更“宽泛”。
If by "Secure" you're asking if a sniffer can get your post across the network, then sure, using https would make it secure in that regards.
如果通过“安全”您询问嗅探器是否可以通过网络发布您的帖子,那么请确保使用https可以确保其安全。
However, if the page is doing this post to your server to do anything that the user might not want it to do, then by MY definition it's not secure.
但是,如果页面正在向您的服务器发送此帖子以执行用户可能不希望它执行的任何操作,那么通过MY定义它不安全。
For example, I would be fine with this script calling your service if your service were providing data back to the site (for a legitimate purpose in other words). A good example would be calling your site to provide a stock quote, or a joke-of-the-day that shows up on the page, that's fine,.
例如,如果您的服务将数据提供回网站(换句话说是出于合法目的),我可以使用此脚本调用您的服务。一个很好的例子就是打电话给你的网站提供股票报价,或者在页面上显示的一天的笑话,这很好。
BUT if your script was doing a post to track my presence on the site, add me to a potential mailing list, steal my data, or any purpose other than what's needed for me to do my work on your site, then you're violating my privacy, or at least doing something behind the scenes that I really don't anticipate or want to happen. In that case, by definition, any activity that uses stealth to track me or steal my personal and/or financial data (including my browsing habits) is a security violation.
但是,如果您的脚本正在发帖以跟踪我在网站上的状态,请将我添加到潜在的邮件列表,窃取我的数据或除了我在您的网站上工作所需的任何其他目的之外,那么您就违反了我的隐私,或者至少在幕后做一些我真正没想到或想要发生的事情。在这种情况下,根据定义,任何使用隐身来跟踪我或窃取我的个人和/或财务数据(包括我的浏览习惯)的活动都是违反安全规定的行为。
Also, if your script in any way weakens existing defenses on teh web page or introduces new vulnerabilities, then no, it's not secure by anyone's definition.
此外,如果您的脚本以任何方式削弱网页上的现有防御或引入新的漏洞,那么不,任何人的定义都不安全。
#1
3
The data would be secure in transit, but the page making the request could be intercepted and modified in before reaching the client so the request could be diverted or modified. (Simple case - make two requests instead of one, one to the secure server and one to a hacker's server)
数据在传输过程中是安全的,但是在到达客户端之前,可以拦截和修改发出请求的页面,以便可以转移或修改请求。 (简单的情况 - 发出两个请求而不是一个,一个发送到安全服务器,一个发送到黑客的服务器)
If you want security then you need to have both the page performing data collection/submission and the page processing the data passed over SSL.
如果您需要安全性,那么您需要让页面执行数据收集/提交,页面处理通过SSL传递的数据。
(You would also have to deal with the issue of Same Origin Policy.)
(您还必须处理同源政策问题。)
#2
1
Yes, it will use HTTPS for the Ajax request.
是的,它将使用HTTPS来执行Ajax请求。
However you cannot make an off-site request (same-origin policy), and when your client lacks a proper SSL certificate, I don't see how you would make a secure AJAX request (?).
但是,您无法发出异地请求(同源策略),并且当您的客户端缺少正确的SSL证书时,我看不出您将如何发出安全的AJAX请求(?)。
#3
1
That depends on the definition you want to use for "Secure". Security is subjective, and some people have a more "broad" definition of "secure" than others.
这取决于您要用于“安全”的定义。安全是主观的,有些人对“安全”的定义比其他人更“宽泛”。
If by "Secure" you're asking if a sniffer can get your post across the network, then sure, using https would make it secure in that regards.
如果通过“安全”您询问嗅探器是否可以通过网络发布您的帖子,那么请确保使用https可以确保其安全。
However, if the page is doing this post to your server to do anything that the user might not want it to do, then by MY definition it's not secure.
但是,如果页面正在向您的服务器发送此帖子以执行用户可能不希望它执行的任何操作,那么通过MY定义它不安全。
For example, I would be fine with this script calling your service if your service were providing data back to the site (for a legitimate purpose in other words). A good example would be calling your site to provide a stock quote, or a joke-of-the-day that shows up on the page, that's fine,.
例如,如果您的服务将数据提供回网站(换句话说是出于合法目的),我可以使用此脚本调用您的服务。一个很好的例子就是打电话给你的网站提供股票报价,或者在页面上显示的一天的笑话,这很好。
BUT if your script was doing a post to track my presence on the site, add me to a potential mailing list, steal my data, or any purpose other than what's needed for me to do my work on your site, then you're violating my privacy, or at least doing something behind the scenes that I really don't anticipate or want to happen. In that case, by definition, any activity that uses stealth to track me or steal my personal and/or financial data (including my browsing habits) is a security violation.
但是,如果您的脚本正在发帖以跟踪我在网站上的状态,请将我添加到潜在的邮件列表,窃取我的数据或除了我在您的网站上工作所需的任何其他目的之外,那么您就违反了我的隐私,或者至少在幕后做一些我真正没想到或想要发生的事情。在这种情况下,根据定义,任何使用隐身来跟踪我或窃取我的个人和/或财务数据(包括我的浏览习惯)的活动都是违反安全规定的行为。
Also, if your script in any way weakens existing defenses on teh web page or introduces new vulnerabilities, then no, it's not secure by anyone's definition.
此外,如果您的脚本以任何方式削弱网页上的现有防御或引入新的漏洞,那么不,任何人的定义都不安全。