[REBOL] Re: reading back checksum/secure
From: SunandaDH:aol at: 21-Oct-2003 17:30
Carlos:
> Is it secure to pass a checksum/secure value on a URL
> I mean when GET method is used on CGI?
Checksum/secure is proof against reverse engineering (given
#{DE187642E6C75F60D10F29E52CAB54CDF676870D} you'd have a hard job working it backwards
to the
original string).
But it isn't safe if the item you have checksumed is easily guessable. If I
think you are using people's names, I can do a dictionary attack to find the
matching checksum:
foreach item ["carlos" "joel" "brett" "carl" "sunanda"] [
print [item checksum/secure item]]
Cracked in moments!
So be careful of the strings you decide to checksum. You might think
checksum/secure form now/precise
was safe. But it really isn't against a simple calendar attack.
The other problem is that URLs pass through a host of intervening machines
downstream of you and your server. So:
http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D7B3
C733C3A9EF479ADAFAC1D}
will be seen by many machines en route. To be truly safe, you'd want to make
sure that
password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D}
only works once -- on the next request it is a different checksum value.
Otherwise, someone could simply spoof you by copying the value.
Of course, that needs some extra messing around; and whether it's worth the
bother depends on the value of your data, and how much you expect interlopers
to come and attack you,
Sunanda