asp.net - Can https fallback to http and security level of https -


i considering installing ssl/tls domain. there 2 questions have been bothering me:

  • is there scenario https connection can fallback http? so, e.g. if ajax looks this

    $.post("https://foo.com", function(){   });

    is there chance change 

    $.post("http://foo.com", function(){   });

    and if domain still accesible @ http://foo.com ?

  • next have read extensively using ssl/tls , have read seems accurate assume if have enabled , if send user credentials in plain text, it's still secure (there encryption salt , on server of course). extent true , creating hash on client , sending on https more secure?

update: if sending plaintext on ssl secure enough, point of using things cnonce ? isn't unnecessary overhead on client?

  1. no, https never falls http automatically. take deliberate action user. if you're going web page putting url address bar, easy; form submission it's harder.

  2. yes, sending plain text on ssl fine. in fact, sending hashed password doesn't increase security @ -- if manages sniff connection , gets hashed password, that's need able login site. has 1 small advantage: if user uses same password @ multiple sites, learning hashed password 1 site doesn't them site uses different (or no) hash. , it's not feasible send salted hashes, since client doesn't know salt.

a cnonce adds level of protection. if, somehow, manages crack ssl encryption, cnonce prevents them getting usable password it. addresses point made above why sending hashed password doesn't help: need changes session session, , cnonce provides this.

see https://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce


Comments

Post a Comment

Popular posts from this blog

curl - PHP fsockopen help required -

i trying work on cloudflare api , have found in documentation. unfortunately have no idea how can use in fsockopen or through curl. here example of post request. need know how can make request below data post using curl or fsockopen curl https://www.cloudflare.com/api_json.html -d 'a=cache_lvl' \ -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \ -d 'email=sample@example.com' \ -d 'z=example.com' \ -d 'v=agg' here link cloudflare https://www.cloudflare.com/docs/client-api.html#s4.2 try one: $ch = curl_init("https://www.cloudflare.com/api_json.html"); curl_setopt($ch, curlopt_returntransfer,1); curl_setopt($ch, curlopt_followlocation, 1); curl_setopt($ch, curlopt_ssl_verifypeer,false); // handling of -d curl parameter here. $param = array( 'a' => 'cache_lvl', 'tkn' => '8afbe6dea02407989af4dd4c97bb6e25', 'email' => 'sample@example.com', 'z' =...
Read more

HTTP/1.0 407 Proxy Authentication Required PHP -

i working in restricted network/limited access internet. since have use proxy make web service call. here php code calling web service , response . $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' => $proxy_host, 'proxy_port' => $proxy_port, 'proxy_login' => $proxy_login, 'proxy_password' => $proxy_password)); response is fatal error: uncaught soapfault exception: [wsdl] soap-error: parsing wsdl: couldn't load ' http://www.xyz.com/abc/wsdls/login.wsdl ' : failed load external entity if copy url error message , paste in browser(with same proxy settings) works. 2nd scenario is, if pass values instead of variables giving me diffarant response $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' ...
Read more

c# - Resource not found error -

i have problem accessing method on homecontroller. show code of method : [httpget] public actionresult decriptidentifiantetredirige(string login_crypter, string mdp_crypter) { string loginacrypter = _globalmanager.protegemotdepasse(login_crypter); string mdpacrypter = _globalmanager.protegemotdepasse(mdp_crypter); user userapp = new models.user(login_crypter, mdp_crypter); if (userapp.authentificationvalidee(userapp.userlogin, userapp.password)) { session["name"] = userapp.userlogin; return redirecttoaction("accueil", "home"); } else { return redirecttoaction("validerauthentification", "home"); } } then in routeconfig.cs wrote route : routes.maproute( name: "authentificationapresdecryptage", url: "{controller}/{action}/{login_crypter}/{mdp_crypter}", defaults: new...
Read more