On Jul 19, 2006, at 11:12 PM, [EMAIL PROTECTED] wrote:
Hi Donovan,
I'm curious about the "unguessable URL" you mentioned. URLs are
inherently
insecure because many ISPs, proxies, and other systems cache them.
In fact,
that's a large part of the HTTP cacheability you mentioned
earlier. Are
these URLs the only thing securing our resources?
Also, is this being offered through https? (Please say yes!)
You provided both sides of the story yourself. Unguessable URLs are
no more insecure than a guessable URL and an unguessable cookie.
Every ISP, proxy, and other system that has access to the request has
access to the headers as well. So, the way to prevent replay attacks
(proxies recording the unguessable part of a request and sending it
again later in order to steal data) is to use a secure transport. You
guessed it, https.
Donovan
_______________________________________________
libsecondlife-dev mailing list
libsecondlife-dev@gna.org
https://mail.gna.org/listinfo/libsecondlife-dev
