security - Secure communications with SSL only used for log in? -
i've read can't secure api when using ssl logging in, seems me hmac enable it:
client connects via ssl, sends credentials, , receives session id cookie, session secret. api calls made via plain old http/whatever, include timestap + nonce, , hash of (payload+timestamp+nonce+secret) can regenerated server verify client possession of secret , prevent replays.what missing makes insecure?
sites utilize https password entry , fall http vulnerable numerous attacks, including session cookie eavesdropping (aka firesheep) , mitm attacks. that's why sites insecure , security folks recommend using sitewide ssl; sites using https password entry "doing wrong"
security http ssl
No comments:
Post a Comment