blocks|key|1694839|text|在以最简单的术语传输表单时，将表单从http页面发送到https页面确实会对表单中的数据进行加密。如果存在中间人攻击，浏览器会向您发出警告。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1694840|但是，如果原始的http表单受到中间人的攻击，并且https回发地址被攻击者修改，那么您将不会收到任何警告。数据实际上仍然是加密的，但中间人攻击者将能够解密(因为他首先将密钥发送给您)并读取数据。|1694841|此外，如果表单通过其他方式(脚本连接)发送回内容，则可能会在表单发布之前通过网络发送未加密的数据(尽管任何好的网站都不会对任何类型的敏感数据执行此操作)。|1694842|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

Posting a form from an http page to an https page does encrypt the data in the form when it is transmitted in the most simple terms. If there is a man-in-the-middle attack, the browser will warn you.

However, if the original http form was subjected to man-in-the-middle and the https post-back address was modified by the attacker, then you will get no warning. The data will still actually be encrypted, but the man-in-the-middle attacker would be able to decrypt (since he sent you the key in the first place) and read the data.

Also, if the form is sending things back through other means (scripted connections) there may be a possibility of unencrypted data being sent over the wire before the form is posted (although any good website would never do this with any kind of sensitive data).

blocks|key|1479648|text|This+post是最关键的一个。是的，如果用户的数据被发送给你，它就会安全地到达某个地方。但是没有理由相信你的网站会在某个地方出现。在这一点上，攻击者不只是要监听数据在每个方向上的移动。他将是用户会话的另一端。你的网站只会认为用户从来没有费心提交表单。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1479649|entityMap|0|LINK|mutability|MUTABLE|url|http://ask.metafilter.com/48531/are-http-forms-posted-thru-https-secure#738842^0|0|9|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

<a href="http://ask.metafilter.com/48531/are-http-forms-posted-thru-https-secure#738842" rel="nofollow noreferrer">This post</a> is the key one. Yes, if the user's data is sent to you, it will have arrived somewhere securely. But there is no reason to believe that somewhere will be your site. The attacker isn't just going to get to listen to the data moving in each direction at this point. He'll be the other end of the user's session. The your site is just going to think the user never bothered to submit the form.

blocks|key|1479677|text|不，从HTTP转到HTTPS是不安全的。请求的起始点和结果点必须是HTTPS，才能建立和使用安全通道。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1479678|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

No, it's not secure to go from HTTP to HTTPS. The originating and resulting points of the request must be HTTPS for the secure channel to be established and utilized.

blocks|key|1694949|text|对于我(作为最终用户)来说，HTTPS会话的价值不仅在于数据是加密的，而且在于我可以验证我输入超级机密的页面是否来自我想要的位置。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1694950|将表单放在非HTTPS会话中会使这一保证失效。|1694951|(我知道-这只是另一种说法，即表单受到MITM攻击)。|1694952|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

For me (as an end-user), the value of an HTTPS session is not only that the data is encrypted, but that I have verification that the page I'm typing my super-secrets into has come from the place I want it to.

Having the form in a non-HTTPS session defeats that assurance.

(I know - this is just another way of saying that the form is subject to an MITM attack).

blocks|key|1695004|text|我认为这个问题的主要考虑因素是用户知道的URL和浏览器默认替换的协议方案(http：)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1695005|在这种情况下，想要确保加密通道的站点的正常行为是将http://home-page重定向到https://home-page。仍然存在欺骗/+MitM的机会，但如果是由DNS中毒造成的，风险不会比从https:+URL开始的风险更高。如果一个不同的域名返回，你需要担心。|offset|length|1695006|这可能已经足够安全了。毕竟，如果您受到有针对性的MitM攻击，那么您不妨开始担心键盘记录器、本地主机文件以及各种其他方式来查找涉及系统已被拥有的安全事务。|1695007|entityMap|0|LINK|mutability|MUTABLE|url|http://home-page/|1|https://home-page/^0|0|P|G|0|19|H|1|0|0^^$0|@$1|2|3|4|5|6|7|R|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|S|8|@]|9|@$D|T|E|U|1|V]|$D|W|E|X|1|Y]]|A|$]]|$1|F|3|G|5|6|7|Z|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|10|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]|P|$5|K|L|M|A|$N|Q]]]]

I think the main consideration of this question has to do with the URL that users know and the protocol scheme (http:)that browsers substitute by default.

In that case, the normal behavior of a site that wants to ensure an encrypted channel is to have the <a href="http://home-page" rel="nofollow noreferrer">http://home-page</a> redirect to <a href="https://home-page" rel="nofollow noreferrer">https://home-page</a>. There is still a spoofing / MitM opportunity, but if it is by DNS poisoning, the risk is no higher than if one starts out with the https: URL. If a different domain name comes back, you need to worry then.

This is probably safe enough. After all, if you are subject to a targetted MitM, you might as well start worrying about keyboard loggers, your local HOSTS file, and all sorts of other ways of finding out about your secure transactions involving your system already being owned.

blocks|key|1479801|text|每个建议您只提供登录页面的链接的人似乎都忘记了，使用MITM攻击可以很容易地更改该链接。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1479802|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Everyone suggesting that you provide only a link to the login page seems to be forgetting that the link could easily be changed using a MITM attack.

blocks|key|1479876|text|上面所有这些中最大的遗漏之一是，将登录放在主页上是一种普遍趋势(用户体验趋势中的巨大趋势)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1479877|这里最大的问题是Google不喜欢搜索安全的页面，所以所有那些想知道为什么不让所有的页面都安全的开发者，如果你想让Google看不见你的页面，那么就保护它吧。否则，在这一点上，从http发布到https的次佳选择是两个缺点中较小的一个？|1479878|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

One of the biggest things missed out in all of the above is that there is a general trend to place a login on a home page (Huge trend in User Experience Trends).

The big problem here is that Google does not like to search secure pages with good reason, so all those Devs who are wondering why not make it all secure, well if you want your page invisible to Google, secure it all. Else, the second best option to post from http to https is the lesser of two evils at this point?

Is it acceptable to submit from an http form through https? It seems like it should be secure, but it allows for a man in the middle attack (<a href="http://ask.metafilter.com/48531/are-http-forms-posted-thru-https-secure" rel="noreferrer">here is a good discussion</a>). There are sites like <a href="http://www.mint.com" rel="noreferrer">mint.com</a> that allow you to sign-in from an http page but does an https post. In my site, the request is to have an http landing page but be able to login securely. Is it not worth the possible security risk and should I just make all users go to a secure page to login (or make the landing page secure)?

Is it secure to submit from a HTTP form to HTTPS?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

从http表单通过https提交可以接受吗？它看起来应该是安全的，但它允许中间人攻击()。有像这样的网站允许你从http页面登录，但可以使用https post。在我的网站，该要求是有一个http登录页面，但能够安全登录。这是不是不值得冒可能的安全风险，我应该让所有用户都去一个安全的页面登录(或使登录页面安全)？

问从HTTP表单提交到HTTPS是否安全？
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问从HTTP表单提交到HTTPS是否安全？EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问从HTTP表单提交到HTTPS是否安全？
EN