RE: Security
- Posted by Kat <kat at kogeijin.com> Nov 30, 2002
- 519 views
On 29 Nov 2002, at 14:35, munchr at mac.com wrote: > > At 11:57 AM 29/11/2002 -0600, Kat wrote Regarding Victoria's Secret. > > So how then is a web site supposed to tell their customers apart so > they don't mix up orders, information, etc? Seems like there are only > a few choices. > > They can use cookies, which seem like the easiest way. But some > users won't accept those, and will be unable to use the web site. > > They can use encrypted URL's, which is going to require either > javascript, activex, or some other form of client side processing. > Again, people are going to be locked out of the web site if they > disallow those technologies, or are unable to find a compatible > web browser. > > Or, the web site can use standard form posting, which nearly > every browser I have seen is able to do. But by doing so, they > open themselves to very easy attack, because by changing the > clear text form post, anybody can look at anyone else's information. > > So either everybody gets to use the web site, and has to put up > with low security, or a significant number of people are locked out > of the web site in the name of security. > > Anybody have ideas on how to prevent information leaks like VS's, > without locking out certain browsers, or security conscious people? Yes, use a large enough number base, and a large enough number in that base. For instance, if i attach the hidden POST form url with this numeral: "er6yb2RTGWBD6trerBFSf6t78ERThgneRhnwwww456GWTq456BEFGqw4Y B9nwrfgbwr673n5yUHb35r56b7tynjtr4678EGF67678mnyuy5678" (base58) ,and i link it in my cgi to the ip block the customer came from, and other info their browser supplied, how many crackers will be able to guess the next client's numeral? Building these numerals dynamically in serverside includes is trival, at least if i don't use *nix. Kat PS: or did i use base47 with some extra characters? or base90 with some missing chars?