Warm tip: This article is reproduced from serverfault.com, please click
architecture security ssl consistent-hashing

Is it necessary to hash data POSTed if using SSL?

发布于 2020-12-02 09:29:52

In some sensitive apps, like payment systems, code is set up as such: when user sends info to server, for example:

{money_amount: 5, receiver_id: 2}

It's also required to send over a hashed string, like:

hash_by_client = make_hash_from_string("money" + money_amount + "receiver" + receiver_id)

The purpose: so that when server receives the data, it independently, but using the same algorithm, computes another hashed string (hash_by_sever) , and compare hash_by_sever with hash_by_client. If they are equal, then server is sure the POSTed data is not modified, and can be trusted to proceed.

Question: if we are using SSL/TSL/https connections, is this setup still necessary?

Questioner
Morris
Viewed
0
分享
pbuck 2020-12-03 06:18:36

Not necessary. The information sent will already be encrypted, so adding a hash doesn't improve on that.

As mentioned in a comment a hash might be good to catch "if the sender is attempting to hack." True, but note that your hash_by_client() function is (most likely) executing in javascript which the potential hacker can easily access.

So the hash merely provides a false sense of security.

热门帖子

1
十兆宽带 100 块钱一个月我是活在 80 年代吗?
2
关于高质量 屏幕共享的问题
3
我是真的受不了打小报告的三八了!
4
[开发者自荐] AirBattery: 在 Mac 端获取所有设备的电量并显示在 Dock 或状态栏上
5
南京移动 IPV6 被停
6
WireGuard 跨国组网失败后,一个新工具的诞生
7
你的 IDEA(2024.1) 在 macOS 上崩吗?
8
居家办公 兼谈普通人的无聊和解救方式
9
拼多多开始用灵动岛放广告了?
10
准备买个二手 Apple Watch, Ultra1 还是 Ultra2

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation
3
shadcn/ui, but for Svelte. ✨
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems.
5
Performance-portable, length-agnostic SIMD with runtime dispatch
6
ZK Credo
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS.
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
12
🎓 Path to a free self-taught education in Computer Science!
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
14
A collective list of free APIs
15
📚 Freely available programming books