Question

Just want to verify, when making a SSL connection (http post) to say:

https://www.example.com/some/path?customer_key=123123123

如果你不想让任何人知道客户——钥匙,那么即使我正在使链接正确,这种做法也不会奏效?

All data that I want secured has to be in the request body right?

Answer 1

Quoting the :

When the TLS handshake has finished. The client may then initiate the first HTTP request. All HTTP data MUST be sent as TLS "application data".

基本上,首先建立了安全SSL/TLS频道。仅在那时,《吉大港山区议定书》才得到使用。这将保护与南太平洋区域渔业管理组织的所有往来业务,包括吉大港山区的头目(含有URL和 co)。

手法中可以明显看出的是主名本身,因为它包含在服务器证书中,在手法中可以清楚地看到这一点(而且往往很容易通过看望IP地址的目的地来猜测东道名称)。

When using Server Name Indication, the requested host name should also be visible in the server_name extension in the ClientHello message. Otherwise, there may be a bit of ambiguity (for the eavesdropper) to guess the host name from the certificate if the certificate is valid for multiple host names (e.g. multiple Subject Alt. Names or wildcards). In this case eavesdropping the DNS request from the client might give the attacker a clue.

阅读其他人的回答和评论,有些提到有关<代码>Referer(频谱中r)和标识的问题。

Referrers shouldn t be sent when going from HTTPS to HTTP (but they are often sent when going from one HTTPS site to another HTTPS site).
About the history: you ll just have to trust whoever can potentially get that key legitimately (i.e. your users) not to spread it around. If needed, have a strategy to change it once in a while.
About the logs: I was assuming you were after protection over the network. The URL (including query) will be in the logs indeed, but if someone is able to attack your machine so as to get the logs, you have more to worry about that your app keys.

剩余的潜在弱点之一是how<>>,请将这一环节与用户联系起来。如果它植根于一个网页上,就能够阅读该网页的任何人都可以看到。您也应在《关贸总协定》的网页上工作。如果你通过电子邮件发出这一联系,我就说所有信标都已关闭,因为邮件服务器很少对自己和用户之间的联系进行加密,也常常在没有加密的情况下查阅其电子邮件账户。

EDIT:

此外,如果你重新使用客户证书认证,如果在最初的双手中谈判,客户证书就会被看上去。这可能会泄露用户在网站的名声(通常主题DN包含用户名称)。如果客户证书是在重新谈判的手法中发出的,则该证明不会明显。

Answer 2

只有www.example.com,才能向 s户开放。申请的路段受到SSL/TLS的保护。

显然,你也必须寄出高超链路的原件。

Answer 3

申请数据将在建立安全连接之后发送,因此不会有上文URL的担忧,但铭记你的数据没有加密,只有服务器和客户之间的渠道被加密,如果能够打碎这一渠道,就可以清楚地看到你的数据。

SSL是你数据之上的精细加密渠道。如果数据是显而易见的,任何能够打碎SSL的人都可以清楚地看到你的数据。

Answer 4

Revising my answer to NO! Apparently only the host name is sent in clear text before the SSL connection is established.

rel=“nofollow>> http://answers.google.com/answers/threadview/id/758002.html。

Answer 5

这取决于。

如果你使用包裹,你就无法看到电线上发送的数据。这种做法的主要问题是,请求书状常常在服务器的印本记录中保存,浏览器的历史保存着陶尔,URLs被转手头通过,第三方服务(google analytics)可能坚持。

友情链接