Author: toad
Date: 2009-01-08 20:10:17 +0000 (Thu, 08 Jan 2009)
New Revision: 24979
Modified:
trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
Log:
Cut the length of the secureid to 96 bits = 16 characters in base64. This is
plenty imho.
Modified: trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
2009-01-08 16:38:32 UTC (rev 24978)
+++ trunk/freenet/src/freenet/clients/http/SimpleToadletServer.java
2009-01-08 20:10:17 UTC (rev 24979)
@@ -816,6 +816,16 @@
return bf;
}
+ /** How long should the secureid= be? We don't want the URLs to be
really long...
+ * One attempt requires the attacker to modify the DOM, trigger a
relayout, and then
+ * read the link color out of the DOM. Relayout can be batched, but if
it's too big
+ * it gets really slow and the user notices... The lookup is done to
determine whether
+ * to display this element. A miss results in no relayout. Maybe this
could be
+ * optimised down to hundreds of cycles ... in practice it's probably a
lot more than
+ * that. Hopefully by the time probing 96 bits is feasible, browsers
will turn off
+ * history probing by default! */
+ static final int SID_LENGTH_BYTES = 12;
+
public String generateSID(String realPath) throws
URLEncodedFormatException {
MessageDigest md = SHA256.getMessageDigest();
realPath = prepareForSID(realPath);
@@ -826,8 +836,10 @@
}
md.update(clientNonce);
byte[] output = md.digest();
+ byte[] finalOutput = new byte[SID_LENGTH_BYTES];
+ System.arraycopy(output, 0, finalOutput, 0, SID_LENGTH_BYTES);
SHA256.returnMessageDigest(md);
- return Base64.encode(output);
+ return Base64.encode(finalOutput);
}
private String prepareForSID(String realPath) throws
URLEncodedFormatException {
_______________________________________________
cvs mailing list
[email protected]
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs
