Sunanda,
Your words enlightened some obscure points of the matter to me
Thanks
Carlos
Em Ter 21 Out 2003 19:30, [EMAIL PROTECTED] escreveu:
> Carlos:
> > Is it secure to pass a checksum/secure value on a URL
> > I mean when GET method is used on CGI?
>
> Checksum/secure is proof against reverse engineering (given
> #{DE187642E6C75F60D10F29E52CAB54CDF676870D} you'd have a hard job working
> it backwards to the original string).
>
> But it isn't safe if the item you have checksumed is easily guessable. If
> I think you are using people's names, I can do a dictionary attack to find
> the matching checksum:
>
> foreach item ["carlos" "joel" "brett" "carl" "sunanda"] [
> print [item checksum/secure item]]
>
> Cracked in moments!
>
> So be careful of the strings you decide to checksum. You might think
> checksum/secure form now/precise
> was safe. But it really isn't against a simple calendar attack.
>
> The other problem is that URLs pass through a host of intervening machines
> downstream of you and your server. So:
>
> http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D
>7B3 C733C3A9EF479ADAFAC1D}
>
> will be seen by many machines en route. To be truly safe, you'd want to
> make sure that
> password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D}
>
> only works once -- on the next request it is a different checksum value.
> Otherwise, someone could simply spoof you by copying the value.
>
> Of course, that needs some extra messing around; and whether it's worth the
> bother depends on the value of your data, and how much you expect
> interlopers to come and attack you,
>
> Sunanda
--
To unsubscribe from this list, just send an email to
[EMAIL PROTECTED] with unsubscribe as the subject.
