blocks|key|823621|text|在HTTPS请求中向服务器发送和从服务器发送的所有数据都是加密的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|823622|这包括URL、标头、POST数据和响应。|823623|如果你的敌人有代码运行在任何一个端点上，他已经击败了你。|823624|你对此无能为力，他不能打败它。|823625|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|L|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|M|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|I|$]]

All data sent to and from the server in an HTTPS request is encrypted. 
This include the URL, headers, POST data, and response.

If your enemy has code running on either endpoint, he's already defeated you. 
There is nothing you can do about it that he can't beat.

blocks|key|4491288|text|HTTPs是一种协议，用于防止监视由ISP或公共WIFI劫持者发送的数据和其他情况，它可能无法阻止间谍软件在您的服务器上读取它，要使用SSL发布数据，假设您已经安装了SSL证书，您只需将action属性设置为完整的https://端url即可。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|4491289|来自维基百科：|4491290|HTTPS超文本安全传输协议是|4491291|+/TLS超文本传输协议的组合，用于提供网络web服务器的加密通信和安全标识。|blockquote|4491292|4491293|4491294|关于MD5，我相信您的MD5和SALT技术的组合是相当安全的，它可以防止黑客在访问您的数据库时轻松找到流行的密码。|4491295|entityMap^0|0|5|2L|6|2Z|8|0|0|0|0|0|0|2|3|B|3|F|4|0^^$0|@$1|2|3|4|5|6|7|S|8|@$9|T|A|U|B|C]|$9|V|A|W|B|C]|$9|X|A|Y|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|Z|8|@]|D|@]|E|$]]|$1|H|3|I|5|6|7|10|8|@]|D|@]|E|$]]|$1|J|3|K|5|L|7|11|8|@]|D|@]|E|$]]|$1|M|3|-4|5|6|7|12|8|@]|D|@]|E|$]]|$1|N|3|-4|5|6|7|13|8|@]|D|@]|E|$]]|$1|O|3|P|5|6|7|14|8|@$9|15|A|16|B|C]|$9|17|A|18|B|C]|$9|19|A|1A|B|C]]|D|@]|E|$]]|$1|Q|3|-4|5|6|7|1B|8|@]|D|@]|E|$]]]|R|$]]

<code>HTTPs</code> is a protocol used to prevent watching the data being sent between you and the server by ISPs or public WIFI hijackers and other cases, It may not prevent a spyware on your server to read it, To post data using SSL you only need to set the <code>action</code> attribute to a full <code>https://</code> end url assuming you already installed an SSL certificate.

From Wikipedia:

<blockquote>
 Hypertext Transfer Protocol Secure
 (HTTPS) is a combination of the
 Hypertext Transfer Protocol with the
 SSL/TLS protocol to provide encrypted
 communication and secure
 identification of a network web
 server.
</blockquote>

About the <code>MD5</code>, I believe that your combination of <code>MD5</code> And <code>SALT</code> technique is fairly secure and it prevents hackers to easily find popular passwords if they gained access to your database.

blocks|key|823667|text|HTTPS对于双向通信肯定是安全的(假设您保证私钥的安全)。间谍软件可能会破坏私钥，从而危及主机的HTTPS通信量的安全性。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|823668|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

HTTPS is certainly secure for traffic in both directions (assuming you keep the private key secure). Spyware could compromise the private key and thus the security of HTTPS traffic to the host.

blocks|key|2891335|text|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2891336|我对HTTPS不太熟悉，但我知道它是安全的，我想知道的是，当用户在表单上登录时，表单中的变量(用户名、密码)是否被加密？|blockquote|2891337|2891338|2891339|整个HTTP请求和响应都是加密的。|2891340|然而，将主机名转换为IP地址的DNS查找将不是。|2891341|此外，|2891342|是否足够安全，可以防止主机上运行的任何间谍软件截获登录详细信息？|2891343|2891344|2891345|不是的。HTTPS对客户端和服务器之间的通信进行加密。它不能阻止客户端上的软件干扰请求或读取响应。这包括攻击者截获表单请求并对其进行修改的可能性-因此表单也必须通过SSL发送。|2891346|entityMap^0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|-4|4|5|6|T|7|@]|8|@]|9|$]]|$1|A|3|B|4|C|6|U|7|@]|8|@]|9|$]]|$1|D|3|-4|4|5|6|V|7|@]|8|@]|9|$]]|$1|E|3|-4|4|5|6|W|7|@]|8|@]|9|$]]|$1|F|3|G|4|5|6|X|7|@]|8|@]|9|$]]|$1|H|3|I|4|5|6|Y|7|@]|8|@]|9|$]]|$1|J|3|K|4|5|6|Z|7|@]|8|@]|9|$]]|$1|L|3|M|4|C|6|10|7|@]|8|@]|9|$]]|$1|N|3|-4|4|5|6|11|7|@]|8|@]|9|$]]|$1|O|3|-4|4|5|6|12|7|@]|8|@]|9|$]]|$1|P|3|Q|4|5|6|13|7|@]|8|@]|9|$]]|$1|R|3|-4|4|5|6|14|7|@]|8|@]|9|$]]]|S|$]]

<blockquote>
 I'm fairly unfamiliar with HTTPS, but I know it's secure, what I want to know is when a user logs in with details on a form, are the variables in that form (username, password) sent to the server encrypted?
</blockquote>

The entirety of the HTTP request and response are encrypted.

The DNS look-up to convert the hostname to an IP address will, however, not be.

<blockquote>
 Also, is HTTPS secure enough to prevent any spyware running on the host from intercepting the login details?
</blockquote>

No. HTTPS encrypts the communication between the client and the server. It cannot prevent software on the client from interfering with the request or reading the response. This includes the possibility of an attacker intercepting the request for the form and modifying it — so the form must be sent over SSL too.

blocks|key|823762|text|好的。让我们将这个问题分解一下，并在这里讨论一些事情。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|823763|首先:你说你知道HTTPS是“安全的”。让我们对此稍加限定。|823764|HTTPS是一种加密机制，仅此而已，因此使用HTTPS本身并不能保证更广泛意义上的“安全性”。如果您使用的是HTTPS，那么您所知道的就是，无论从访问者的浏览器发送到您的服务器的任何信息，都将通过加密的通信通道发送，例如防止Man-in-the-Middle+Attacks攻击。|offset|length|823765|虽然这很重要，但在中使用加密/HTTPS不能保护您免受其他任何数量的潜在漏洞的影响，包括破坏的身份验证机制、注入、跨站点脚本(XSS)和许多其他漏洞。|style|BOLD|823766|如果您有兴趣了解更多关于信息安全的一般知识，我强烈建议您阅读Bruce+Schneier的Secrets+and+Lies，他是一位备受尊敬的安全权威。这本书现在有点旧了，但在我看来，它包含的信息已经很陈旧了。|823767|第二:明确地说，使用HTTPS在中不会保护你免受间谍软件等的攻击。记住，HTTPS只是确保加密的通信，但除此之外什么也做不了。|823768|第三:正如SLaks所说，MD5可能不再是最好的散列算法。虽然我无论如何都不是密码学专家，但我认为如果你使用SHA1+(加上一个强大的salt+)，你仍然是相当安全的。据我所知，MD5在过去几年中遭受了一些数学上的失败，这削弱了它的安全性。|823769|如果你有兴趣学习网络安全的基本细节，我也强烈推荐The+Web+Application+Hacker's+Handbook，我认为它是这个主题的一个很好的入门读物。|823770|我希望这对你有帮助。|823771|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/Man-in-the-middle_attack|1|https://rads.stackoverflow.com/amzn/click/com/0471453803|2|http://en.wikipedia.org/wiki/Salt_(cryptography%2529)|3|https://rads.stackoverflow.com/amzn/click/com/0470170778^0|0|0|34|P|0|0|9|19|0|19|G|1|0|G|1|0|1V|4|2|0|O|11|3|0|0^^$0|@$1|2|3|4|5|6|7|19|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1A|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|1B|8|@]|9|@$F|1C|G|1D|1|1E]]|A|$]]|$1|H|3|I|5|6|7|1F|8|@$F|1G|G|1H|J|K]]|9|@]|A|$]]|$1|L|3|M|5|6|7|1I|8|@]|9|@$F|1J|G|1K|1|1L]]|A|$]]|$1|N|3|O|5|6|7|1M|8|@$F|1N|G|1O|J|K]]|9|@]|A|$]]|$1|P|3|Q|5|6|7|1P|8|@]|9|@$F|1Q|G|1R|1|1S]]|A|$]]|$1|R|3|S|5|6|7|1T|8|@]|9|@$F|1U|G|1V|1|1W]]|A|$]]|$1|T|3|U|5|6|7|1X|8|@]|9|@]|A|$]]|$1|V|3|-4|5|6|7|1Y|8|@]|9|@]|A|$]]]|W|$X|$5|Y|Z|10|A|$11|12]]|13|$5|Y|Z|10|A|$11|14]]|15|$5|Y|Z|10|A|$11|16]]|17|$5|Y|Z|10|A|$11|18]]]]

OK. Let's break this question up a bit and cover a few things here.

First: you say that you know that HTTPS is "secure". Let's qualify that a bit.

HTTPS is an encryption mechanism, and nothing more than that, so using HTTPS in itself does not guarantee "security" in any broader sense. If you're using HTTPS, all you know, really, is that whatever information is sent from your visitor's browser to your server will be sent over an encrypted communication channel, such as to protect against <a href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack" rel="nofollow noreferrer">Man-in-the-Middle Attacks</a>.

While that is essential, using encryption/HTTPS in no way protects you from any other number of other potential vulnerabilities, including broken authentication mechanisms, SQL injections, Cross-Site Scripting (XSS), and a host of others.

If you're interesting in learning more about Information Security in General, I'd strongly recommend that you read <a href="https://rads.stackoverflow.com/amzn/click/com/0471453803" rel="nofollow noreferrer" rel="nofollow noreferrer">Secrets and Lies</a> by Bruce Schneier, who is a well-respected security authority. The book is a bit old now, but the information it contains has aged very well, in my opinion.

Second: Just to be explicit, using HTTPS will in no way protect you from Spyware, etc. Remember that HTTPS merely ensures encrypted communications, but can do nothing more than that.

Third: As SLaks has said, MD5 is probably not the best hashing algorithm to use anymore. While I'm not an expert on cryptography by any means, I think you're still reasonably safe if you use SHA1 (plus a strong <a href="http://en.wikipedia.org/wiki/Salt_(cryptography)" rel="nofollow noreferrer">salt</a>) instead. To the best of my knowledge, MD5 has suffered some mathematical defeats over the last few years which has weakened its security.

If you're interested in learning the nitty-gritty details of web security, I'd also strongly recommend <a href="https://rads.stackoverflow.com/amzn/click/com/0470170778" rel="nofollow noreferrer" rel="nofollow noreferrer">The Web Application Hacker's Handbook</a>, which I consider to be an excellent primer on the subject.

I hope that's helpful.

blocks|key|1764514|text|HTTPS的用途是维护以下三种基本信息安全需求：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1764515|1764516|+-只有收件人可以阅读发送给him/her.|unordered-list-item|1764517|的邮件-收件人可以检测发送的邮件是否已收到compromised.|1764518|+-收件人可以验证发送的邮件是否来自发件人。|1764519|1764520|就这样。请注意，这只适用于传输的消息。由于HTTPS只保护传输通道，因此发送方和接收方正在发送的数据和发生的数据不在范围之内。|1764521|特别地，这意味着例如|1764522|1764523|发送者通过HTTPS保护的通道发送已经恶意的数据|1764524|接收者通过HTTPS保护的通道接收敏感数据，但机器上有可以读取数据的间谍软件。|1764525|1764526|所以回答你的两个问题：|1764527|1764528|…当用户使用表单上的详细信息登录时，表单中的变量(用户名、密码)是否会发送到服务器？|blockquote|1764529|1764530|1764531|可以，如果您使用HTTPS进行传输，则传输的数据由客户端加密，只有服务器可以解密。|1764532|此外，|1764533|是否足够安全，可以防止主机上运行的任何间谍软件截获登录详细信息？|1764534|1764535|1764536|不，正如已经说过的，HTTPS只保护从发送者到接收者的数据传输。任何超出这一范围的事情都不在讨论范围之内。|1764537|entityMap^0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|1E|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|1F|8|@]|9|@]|A|$]]|$1|C|3|D|5|E|7|1G|8|@]|9|@]|A|$]]|$1|F|3|G|5|E|7|1H|8|@]|9|@]|A|$]]|$1|H|3|I|5|E|7|1I|8|@]|9|@]|A|$]]|$1|J|3|-4|5|6|7|1J|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|1K|8|@]|9|@]|A|$]]|$1|M|3|N|5|6|7|1L|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|1M|8|@]|9|@]|A|$]]|$1|P|3|Q|5|E|7|1N|8|@]|9|@]|A|$]]|$1|R|3|S|5|E|7|1O|8|@]|9|@]|A|$]]|$1|T|3|-4|5|6|7|1P|8|@]|9|@]|A|$]]|$1|U|3|V|5|6|7|1Q|8|@]|9|@]|A|$]]|$1|W|3|-4|5|6|7|1R|8|@]|9|@]|A|$]]|$1|X|3|Y|5|Z|7|1S|8|@]|9|@]|A|$]]|$1|10|3|-4|5|6|7|1T|8|@]|9|@]|A|$]]|$1|11|3|-4|5|6|7|1U|8|@]|9|@]|A|$]]|$1|12|3|13|5|6|7|1V|8|@]|9|@]|A|$]]|$1|14|3|15|5|6|7|1W|8|@]|9|@]|A|$]]|$1|16|3|17|5|Z|7|1X|8|@]|9|@]|A|$]]|$1|18|3|-4|5|6|7|1Y|8|@]|9|@]|A|$]]|$1|19|3|-4|5|6|7|1Z|8|@]|9|@]|A|$]]|$1|1A|3|1B|5|6|7|20|8|@]|9|@]|A|$]]|$1|1C|3|-4|5|6|7|21|8|@]|9|@]|A|$]]]|1D|$]]

The purpose of HTTPS is used to maintain these three fundamental information security needs:

<ul>
<li><a href="http://en.wikipedia.org/wiki/Information_security#Confidentiality" rel="nofollow">Confidentiality</a> – Only the recipient can read the transmitted message that was meant for him/her.</li>
<li><a href="http://en.wikipedia.org/wiki/Information_security#Integrity" rel="nofollow">Integrity</a> – Recipient can detect whether the transmitted message got compromised.</li>
<li><a href="http://en.wikipedia.org/wiki/Information_security#Authenticity" rel="nofollow">Authenticity</a> – Recipient can verify that the transmitted message is from the sender.</li>
</ul>

That’s it. Note that this does only apply for the transmitted message. What is being sent and what happens with the data on the sender’s and recipient’s side is out of scope as HTTPS does only protect the transmission channel.

Particularly this means that it is possible that for example

<ul>
<li>the sender sends already malicious data over an HTTPS protected channel</li>
<li>the recipient receives sensible data over an HTTPS protected channel but there is spyware on the machine that can read the data.</li>
</ul>

So to answer your two questions:

<blockquote>
 […] when a user logs in with details on a form, are the variables in that form (username, password) sent to the server encrypted?
</blockquote>

Yes, if you use HTTPS for the transmission the transmitted data is encrypted by the client and only the server can decrypt it.

<blockquote>
 Also, is HTTPS secure enough to prevent any spyware running on the host from intercepting the login details?
</blockquote>

No, as already said, HTTPS does only protect the data transmission from the sender to the recipient. Anything beyond that is out of scope.

I'm fairly unfamiliar with HTTPS, but I know it's secure, what I want to know is when a user logs in with details on a form, are the variables in that form (username, password) sent to the server encrypted?

I'm asking this, as I'm using a form to log people in, but I'm also hashing their passwords with MD5 together with a SALT for verification.

Also, is HTTPS secure enough to prevent any spyware running on the host from intercepting the login details?

Sorry for asking a few questions in this post, but thanks in advance for any answers.

POST form values over HTTPS

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我对HTTPS相当不熟悉，但我知道它是安全的，我想知道的是，当用户在表单上登录时，表单中的变量(用户名、密码)是否被加密？我是这样问的，因为我正在使用一个表单让人们登录，但我也会将他们的密码与MD5和一个SALT一起散列以进行验证。另外，HTTPS是否足够安全，可以防止主机上运行的任何间谍软件截获登录详细信息？很抱歉在...

问通过HTTPS发布表单值
EN

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问通过HTTPS发布表单值EN