英文:
Does net/smtp send credentials in plain text?
问题
我正在查看这个例子。http://golang.org/pkg/net/smtp/#example_PlainAuth
package main
import (
"log"
"net/smtp"
)
func main() {
// 设置认证信息。
auth := smtp.PlainAuth("", "user@example.com", "password", "mail.example.com")
to := []string{"recipient@example.net"}
mesg := []byte("This is the email body.")
err := smtp.SendMail("mail.example.com:25", auth, "sender@example.org", to, mesg)
if err != nil {
log.Fatal(err)
}
}
smtp.PlainAuth
是否以明文形式将凭据发送到邮件服务器?在实际应用中使用net/smtp安全吗?
英文:
I'm looking at this example. http://golang.org/pkg/net/smtp/#example_PlainAuth
package main
import (
"log"
"net/smtp"
)
func main() {
// Set up authentication information.
auth := smtp.PlainAuth("", "user@example.com", "password", "mail.example.com")
to := []string{"recipient@example.net"}
mesg := []byte("This is the email body.")
err := smtp.SendMail("mail.example.com:25", auth, "sender@example.org", to, mesg)
if err != nil {
log.Fatal(err)
}
}
Does smtp.PlainAuth
send credentials to the mail server in plain text? Is it safe to use net/smtp in the wild?
答案1
得分: 3
PlainAuth使用RFC 4616中的Plain auth机制,即明文的用户名/密码。通常情况下,当您使用此机制时,加密将在较低层次上处理,例如您将创建一个TLS连接,然后在该连接上使用PlainAuth。如果您没有在加密连接上通信,则使用PlainAuth可能存在风险,因为如果流量被拦截,用户名和密码很容易被获取。
但是,如果您阅读一下,您会看到SendMail
函数中有以下说明:
> SendMail连接到addr处的服务器,如果可能的话切换到TLS,如果可能的话使用可选机制a进行身份验证,然后从地址from发送一封电子邮件到地址to,包含消息msg。
因此,它将尝试在可能的情况下自动升级到TLS。只要您使用支持TLS的服务器,您应该相对安全。另一种身份验证选择是CramMD5,但是与PlainAuth相比,服务器对此方法的支持通常较少。
英文:
PlainAuth uses the Plain auth mech from RFC 4616, which is the username/password in plain cleartext. Normally when you are using this, encryption will be handled at a lower level, for example you will create a TLS connection. and then use PlainAuth over that. If you are not talking over an encrypted connection, then use of PlainAuth can be risky as if the traffic is intercepted, the user/pass are easy to get.
but if you read, you will see the SendMail
function says the following:
> SendMail connects to the server at addr, switches to TLS if possible, authenticates with the optional mechanism a if possible, and then sends an email from address from, to addresses to, with message msg.
So it will try to automatically upgrade to TLS where possible for you. So as long as you are using servers that support TLS, you should be relatively safe. The other Auth choice is CramMD5, but server support for this method is generally less common than PlainAuth which most everything supports.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论