I'm wondering if I have a web service like this:
Login(username, password)
or a page like
login.aspx?u=username&p=pass
If they were called from a desktop app, which would be more secure. From what i've read a sniffer can read the request and figure out the url. I AM hashing the passwords before putting them in the request, but if someone sees the request url with the params/query string then they can make the request with the same values!?
How easy/hard is it for a sniffer to figure out the hashed password? Should I encrypt the password and username before putting it into the url and web service? Any other options I have?
开发者_开发知识库I'm asking because the data is NOT all that sensitive but basic security should exist at a minimal performance cost
NOTE: SSL is NOT an option
Use SSL to create a unique session token via a login service. Use that session token over standard HTTP for the rest.
Your login session will need to take the username/password as a POST otherwise the values will be visible in the URL request to the server and possible snooping on the network.
Just use HTTPS to encrypt the channel. That way you don't have to worry about sniffers.
If you're working with a bank, you may be obliged to use SSL. Check your local legislation - I think this will also determine what is sensitive data.
精彩评论