On Mon, Mar 10, 2008 at 9:54 AM, Ricardo SIGNES <[EMAIL PROTECTED]> wrote: > > I think the amount of brute force required would still be pretty darn brutal.
Doesn't it depend upon the operator's choice of passphrase? And, whether tomorrow is the day a weakness is found in the encryption method? (In 2003 the NSA said Rijaendel could be used for classified data. In 2006, the NSA said it couldn't.). > I wouldn't use this for anything like banking or credit cards, but I feel > pretty okay about it for things like a Rubric login. The problem (from my perspective) is that if it's encrypted *I* have no idea what you're trying to store on *my* computer. Nor what encryption method you've chosen (if any at all, it could be base 64 encoding to obfuscate the data), your diligence in choosing a passphrase. > Probably what I'll do in the (near) future is have an n-day log of secrets, > generated daily. The cookie will then be like > > { generated: yyyymmdd, cookie: ciphertext } > > You'll have to crack the secret within n days, which makes it even more > tedious. I was thinking more along the lines of a cracked cookie being harmful to me, not you. :) This just doesn't seem like a good use of a cookie to me. It could be a good use. But, as the person upon whose computer it is being placed (which might be a public computer, et al), I can't tell if it's a good use because it's encrypted. A lack of transparency into what's being placed on (hopefully) my computer doesn't seem like a good thing. It may make the operator's processing more efficient and scalable. But, I'm old enough to remember people making that argument for storing private information as hidden form fields 15 years ago. Mark ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################