On our site, we provide to users a simulation based on their private information (given through a form). We would like to allow them to get back on their simulation results later, but without forcing them to create a login/password account.
我们曾考虑向他们发送一封带有链接的电子邮件,他们可以从中获取结果.但是,很自然地,我们必须保护这个 URL,因为私人数据处于危险之中.
We have thought of sending them an email with a link, from which they could get back their results. But, naturally, we have to secure this URL, because private data is at stake.
因此,我们打算在 URL 中传递令牌(例如 40 个字符的字母和数字组合,或 MD5 哈希)并使用 SSL.
So we're intending to pass a token (like a 40 characters combination of letters and digit, or a MD5 Hash) in the URL and to use SSL.
Finally, they would receive an email like that:
你怎么看?是否足够安全?对于代币生成,您有什么建议?在 https 请求中传递 URL 参数怎么样?
What do you think about it? Is it secure enough? What would you advise me for the token generation? What about passing URL parameters in a https request?
SSL 将保护传输中的查询参数;然而,电子邮件本身并不安全,在到达目的地之前,电子邮件可能会在任意数量的服务器上反弹.
SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination.
此外,根据您的 Web 服务器,完整 URL 可能会记录在其日志文件中.根据数据的敏感程度,您可能不希望 IT 人员访问所有令牌.
Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not want your IT people having access to all the tokens.
此外,带有查询字符串的 URL 将保存在您用户的历史记录中,允许同一台机器的其他用户访问该 URL.
Additionally the URL with the query string would be saved in your user's history, allowing other users of the same machine to access the URL.
最后,让这非常不安全的是,URL 是在对任何资源,甚至第三方资源的所有请求的 Referer 标头中发送的.因此,例如,如果您使用 Google Analytics(分析),您将向 Google 发送 URL 令牌并将其全部发送给他们.
Finally and what makes this very insecure is, the URL is sent in the Referer header of all requests for any resource, even third party resources. So if you're using Google Analytics for example, you will send Google the URL token in and all to them.
In my opinion this is a bad idea.
这篇关于带有令牌参数的 https URL:它有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!