您可以安全地进行身份验证，而无需实施窃听保护.例如，您可以阻止其他人发送请求，即使他们可以阅读您请求的内容.如果您需要防止窃听，我建议您前往可以使用 SSL 的地方.

You can securely authenticate without needing to implement protection against eavesdropping. For example, you can prevent others from sending requests, even though they can read the contents of your requests. If you need to protect against eavesdropping, I'd recommend just going somewhere where you can use SSL.

如果您只需要简单的身份验证而没有真正的安全性，您的提供商可能会支持 HTTP Basic.这(以及限制功能和备份的良好设计；)是您担心其他问题的合理临时解决方案.

If you just need simple authentication without real security, your provider will probably support HTTP Basic. This (along with a good design which limits capabilities, and backups ;) is a reasonable interim solution while you worry about other problems.

为了验证您的身份，OpenID 无法重播.每个身份验证序列都经过签名.但是，OpenID 本身仅允许您与服务器建立身份.它不会让您签署或以其他方式验证请求.OAuth 可以，但它需要对部分协议进行传输加密.

For authenticating your identity, OpenID can't be replayed. Each authentication sequence is signed. However, OpenID by itself only lets you establish your identity with the server. It won't let you sign or otherwise authenticate a request. OAuth would, but it requires transport encryption for part of the protocol.

您可以使用共享密钥签署每个请求.这将阻止攻击者提交或重放请求，但请求本身仍然可以被窃听者读取.请参阅 Amazon AWS 身份验证(包括客户端库)或 flickr 身份验证的文档.基本协议是:

You could sign each request with a shared secret. This would prevent an attacker from submitting or replaying a request, but the requests themselves can still be read by an eavesdropper. See the documentation for Amazon AWS authentication (which includes client libraries) or flickr's authentication. The basic protocol is:

• 需要一个时间戳(可能还有一个随机数)作为请求参数
• 规范化、排序、连接所有请求参数
• 连接 URI、主机、动词等.
• 使用密钥进行散列
• 在请求头中发送哈希
• 服务器做同样的事情并比较签名