websites prevent MITM attack for token based authentication?

2018-05-30 06:38:43

I am new to web services and read about token based authentication which can be used with web services from What is token based authentication?. I searched on internet but its quite confusing how http based websites manage to do token based authentication without any security vulnerability.

What point I have?

I can sit in between server and client and store the token somehow by sniffing the traffic and make misuse of it before it expires. Am I wrong here?

EDIT

As mentioned on https://security.stackexchange.com/questions/46348/token-based-authentication-under-http.

"Facebook uses an OAuth token passed as a cookie or HTTP header and protected by HTTPS."

How can I implement this as in that case the website will be http-based and only http-headers will be using https. Please correct me if I am wrong.

Your edit suggest a misunderstanding of what HTTPS does.

Normatively speaking, HTTP (meaning, the "language" that is spoken on the network, defined by https://www.ietf.org/rfc/rfc2616.txt) is a text based, "application level protocol", used over TCP sockets (TCP being the "transport level" layer).

In that sense, HTTP and HTTPS are the same "language", nothing differs in them. HTTP and HTTPS are both text based request/response protocols, each consisting of headers and an body, with requests specifying a verb such as GET, POST, PUT, ... No difference whatsoever.

What is different in HTTP vs. HTTPS, is that underneath this HTTP "language" (application level protocol), HTTPS uses TCP sockets that are encrypted using a SSL or TLS layer that provides encryption.

As the SSL/TLS layer happens under the HTTP layer, there can be no difference between what happens to the headers of a request and what happens to the body.

Back to your question :

How can I implement this as in that case the website will be http-based and only http-headers will be using https. Please correct me if I am wrong.

You can't have only the headers, and not the body using HTTPS in a single request/response cycle. It's all or nothing.

The conclusion is, as per the article you link to : token based authentication can only be secure if the token is always secured. Which, if you are always using HTTPS (in all request/response), is guaranteed (both the headers and the body are protected). If even one single request or response is not sent over HTTPS, then you have a flaw.

链接地址: http://www.djcxy.com/p/3750.html

上一篇: 在表中存储密码和摘要式身份验证

下一篇: 网站阻止基于令牌的身份验证的MITM攻击？