Matthew Weier O'Phinney wrote:
The reason I ask is that (1) it shouldn't matter HOW the HTTP request is
initiated. What *should* matter is that the page handles the request
gracefully and returns something (HTTP headers only, or headers + page)
as a result.
That's an interesting way of
PROTECTED]
Sent: Tuesday, June 21, 2005 3:18 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700,
bruce wrote:
chris...
what you state is true at the extreme... but in the case of an client app,
i
could
to is legitimate!!
-bruce
-Original Message-
From: Rene Brehmer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 3:18 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700,
bruce
6:58 AM
To: [EMAIL PROTECTED]
Cc: Rene Brehmer; php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
Okay Bruce:
There's one very major problem with your suggestion - IT CAN NOT BE DONE.
YOU CAN NOT TEST A REMOTE PIECE OF SOFTWARE TO MAKE SURE THAT THERE
HAVE BEEN NO CHANGES
bruce mailto:[EMAIL PROTECTED]
on Wednesday, June 22, 2005 10:28 AM said:
sure it can rory...
i can give you a file... i create a hash of the file... if i have a
process within the file that i give you that allows the file to more
or less create the hash of itself, and if i can
if i as a bank, refuse to allow you to signin to my server, because i
detect
that your client is not valid/legitimate, meaning i think it's been
hacked,
how have i trampled the rights of anyone. i haven't. will some customers
run, sure.. perhaps.. will i potentially feel better. yeah. will i
, June 22, 2005 6:58 AM
To: [EMAIL PROTECTED]
Cc: Rene Brehmer; php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
Okay Bruce:
There's one very major problem with your suggestion - IT CAN NOT BE DONE.
YOU CAN NOT TEST A REMOTE PIECE OF SOFTWARE TO MAKE SURE
Bruce,
I think you missed my point here: Nomatter how secure the client's browser
is, or even if he uses a custom made Client Access Program (believe me, the
banks in Denmark used that approach at first because browsers weren't
secure enough), it still doesn't change the fact that there may be
-general@lists.php.net
Subject: RE: [PHP] Re: security question...??
bruce mailto:[EMAIL PROTECTED]
on Wednesday, June 22, 2005 10:28 AM said:
sure it can rory...
i can give you a file... i create a hash of the file... if i have a
process within the file that i give you that allows
be real, there will never be a solution for any problem that
satifies everyone! that's life..
peace..
-bruce
-Original Message-
From: Rene Brehmer [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 22, 2005 2:55 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question
bruce mailto:[EMAIL PROTECTED]
on Wednesday, June 22, 2005 3:17 PM said:
but chris...
go back and look at the entire thread...
i never stated that i wanted to be able to know whether the entire
system is secure on the client's end.. i stated that i wanted to be
able to know if the
On Wed, June 22, 2005 3:27 pm, bruce said:
rene..
you've grapsed the problem/issue, as have most. all i said was that i've
started to think about the issue of security as also meaning i have to
start
thinking about the client. just as users have had to start to think about
'is the site i'm
However secure you try to make a web application, even with encryption, it
still does not hinder anyone from putting a packet sniffer on your client
and grab whatever sensitive information you send out.
And if a hacker really wanted to get hold of your sensitive information, he
wouldn't actually
. This was easily spoofed.
-Original Message-
From: Rene Brehmer [mailto:[EMAIL PROTECTED]
Sent: 21 June 2005 09:12
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
*
This e-mail has been received by the Revenue Internet e-mail service
]
Sent: 21 June 2005 09:12
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
*
This e-mail has been received by the Revenue Internet e-mail service.
*
However secure you try to make a web application
* david forums [EMAIL PROTECTED]:
Why don't you try to get interactivity with ID machin which is unique, or
with mac address.
MAC address wouldn't work if the user is behind a proxy.
--
Matthew Weier O'Phinney | WEBSITES:
Webmaster and IT Specialist | http://www.garden.org
On 6/21/05, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote:
* david forums [EMAIL PROTECTED]:
Why don't you try to get interactivity with ID machin which is unique, or
with mac address.
MAC address wouldn't work if the user is behind a proxy.
I think you mean IP addresses. MAC's won't
: [PHP] Re: security question...??
On 6/21/05, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote:
* david forums [EMAIL PROTECTED]:
Why don't you try to get interactivity with ID machin which is unique,
or
with mac address.
MAC address wouldn't work if the user is behind a proxy.
I think you mean
I haven't tried it yet, but clock skew looks interesting:
http://www.aunty-spam.com/track-any-computer-on-the-internet-using-its-clock-skew-fingerprint/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I read this article, which is very interresting.
I will work over a tracking service, adn I'm very interresting by those
information.
But my main question, it's how to do it with php.
If some of you try this please let us know how to applicate it with php.
regards
david
Le Tue, 21 Jun
]
Sent: 21 June 2005 16:06
To: 'Rory Browne'; 'Matthew Weier O'Phinney'
Cc: php-general@lists.php.net
Subject: RE: [PHP] Re: security question...??
*
This e-mail has been received by the Revenue Internet e-mail service
On Tuesday 21 June 2005 16:05, bruce typed:
if i'm the server app, and you tell me that you're IE, v.6, i'd like the
ability to somehow be able to gather information from you, such that i can
then check with msoft to see if your answers match what msoft claims the
answers should be. if you
On Tuesday 21 June 2005 23:05, bruce wrote:
if i'm the server app, and you tell me that you're IE, v.6, i'd like
the ability to somehow be able to gather information from you, such
that i can then check with msoft to see if your answers match what
msoft claims the answers should be. if you
This was an interesting topic when it started, but this is getting way
out of the realm of PHP and you are in danger of your messages going my
/dev/null. I understand your concerns about application security being
all-encompassing, but there have been a lot of good suggestions on how
to
bruce mailto:[EMAIL PROTECTED]
on Monday, June 20, 2005 5:50 PM said:
if you're going to be writing apps that deal with sensitive
information, you better damm well give some thought as to how secure
the client is, or even if the client is actually valid!
It's not possible to determine the
* Rory Browne [EMAIL PROTECTED] :
On 6/21/05, Matthew Weier O'Phinney [EMAIL PROTECTED] wrote:
* david forums [EMAIL PROTECTED] :
Why don't you try to get interactivity with ID machin which is unique, or
with mac address.
MAC address wouldn't work if the user is behind a proxy.
I
Message-
From: Chris W. Parker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 21, 2005 10:21 AM
To: [EMAIL PROTECTED]; -{ Rene Brehmer }-;
php-general@lists.php.net
Subject: RE: [PHP] Re: security question...??
bruce mailto:[EMAIL PROTECTED]
on Monday, June 20, 2005 5:50 PM said:
if you're
bruce mailto:[EMAIL PROTECTED]
on Tuesday, June 21, 2005 1:38 PM said:
what you state is true at the extreme... but in the case of an client
app, i could already extract information about the various apps that
make up the client.. ie if, as in the case of IE, I was able to get
information
Even if you could pull it off technically, and I'd be very interested
if you did, considering that the most insecure browser out there, is
also the most commonly used. Ditto for OS.
If all you're concerned about is client image(which from the tone
seems to be the case), then you could simply
Documented research indicate that on Tue, 21 Jun 2005 16:25:36 +0100,
Shaw, Chris - Accenture wrote:
You could always use a IE exploit to crash the browser, if they are still
requesting, you know they are not IE. ;)
Out of interest, what information are you planning on getting from the
Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700,
bruce wrote:
chris...
what you state is true at the extreme... but in the case of an client app, i
could already extract information about the various apps that make up the
client.. ie if, as in the case of IE, I was able
jason...
it's the 2nd point... the hacked app that i'm concerned/thinking about...
as i stated, a secure app/system incorporates not just the system, and the
wire, it also deals with the client app that's being used.
and in fact, i'm of the belief that the manufacturers/developers of a given
Please do not CC me; I will check the newsgroups and usually respond to
all messages there. Onward!
bruce wrote:
jason...
it's the 2nd point... the hacked app that i'm concerned/thinking about...
as i stated, a secure app/system incorporates not just the system, and the
wire, it also deals
I don't see any way of doing such a thing, without also seeing how easily
it would be to fake it.
I'm not really sure what it is you want to achieve. As a webmaster you
can't really take responsibility for the clients using insecure software to
access your website.
It is technically possible to
matt...
you miss what i'm saying, and what my point is. i as a server communicate
with clients. under normal situations, the client is used to communicate
back to the server. but what if someone created a 'client' that looked like
IE, except this client was really sending the information entered
: Monday, June 20, 2005 3:52 PM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: security question...??
I don't see any way of doing such a thing, without also seeing how easily
it would be to fake it.
I'm not really sure what it is you want to achieve. As a webmaster you
can't really take
from my perspective, i strongly disagree...
if you're going to be writing apps that deal with sensitive information,
you
better damm well give some thought as to how secure the client is, or even
if the client is actually valid!
To the best of my knowledge, if you're developing an app that
* bruce [EMAIL PROTECTED]:
you miss what i'm saying, and what my point is. i as a server communicate
with clients. under normal situations, the client is used to communicate
back to the server. but what if someone created a 'client' that looked like
IE, except this client was really sending
* bruce [EMAIL PROTECTED]:
if you're going to be writing apps that deal with sensitive information, you
better damm well give some thought as to how secure the client is,
That's what encryption using public/private keypairs is for. The client
encrypts the data with the public key, and the only
39 matches
Mail list logo
