Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: reading back checksum/secure

From: SunandaDH:aol at: 21-Oct-2003 17:30

Carlos:
> Is it secure to pass a checksum/secure value on a URL > I mean when GET method is used on CGI?
Checksum/secure is proof against reverse engineering (given #{DE187642E6C75F60D10F29E52CAB54CDF676870D} you'd have a hard job working it backwards to the original string). But it isn't safe if the item you have checksumed is easily guessable. If I think you are using people's names, I can do a dictionary attack to find the matching checksum: foreach item ["carlos" "joel" "brett" "carl" "sunanda"] [ print [item checksum/secure item]] Cracked in moments! So be careful of the strings you decide to checksum. You might think checksum/secure form now/precise was safe. But it really isn't against a simple calendar attack. The other problem is that URLs pass through a host of intervening machines downstream of you and your server. So: http://www.myserver.com/mycgi.r?username=carlos&password=#{A8C40A306844B07D7B3 C733C3A9EF479ADAFAC1D} will be seen by many machines en route. To be truly safe, you'd want to make sure that password=#{A8C40A306844B07D7B3C733C3A9EF479ADAFAC1D} only works once -- on the next request it is a different checksum value. Otherwise, someone could simply spoof you by copying the value. Of course, that needs some extra messing around; and whether it's worth the bother depends on the value of your data, and how much you expect interlopers to come and attack you, Sunanda