WebApp Sec mailing list archives
RE: Encrypted URL
From: "Hephaestus" <hephaestus () phreaker net>
Date: Fri, 30 Jan 2004 11:52:46 -0800
In many systems, users submit data to the web application. To do this, we
must
either (a) send it as unencrypted data, (b) use a wellknown encryption
system
such as HTTPS, or (c) invent our own encryption system, which must then be transmitted to the user (as JavaScript or similar code) in order to use
it. In
all three cases, the user is fully aware of the method's all details, and
can
write clients that will send in arbitrary malicious data to the web
application,
using the method.
If the data has to be read *on the client side*, then encryption is just a form of obfuscation. However, it is quite common that what is really going on is that the server is talking to itself *through* the client, to avoid storing lots of state on the server side. In those cases, simple strong symmetric encryption works wonderfully, since transmitting information securely through a potentially insecure link is exactly what it was designed for. In fact, it's even easier than the normal communications case, since your server is talking to itself, greatly simplifying the key distribution problem :) It actually suprises me somewhat that so many cookies on my machine (and hidden fields in forms ...), even from relatively high security sites, are in plaintext, despite the fact they are never manipulated client-side. Saving CPU cycles, I guess.
Current thread:
- Re: Encrypted URL, (continued)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL B. Johannessen (Jan 30)
- Re: Encrypted URL Michael Ströder (Feb 02)
- Re: Encrypted URL Kenneth Peiruza (Feb 02)
- Re: Encrypted URL dreamwvr () dreamwvr com (Feb 02)
- Re: Encrypted URL Stephen de Vries (Jan 30)
- Re: Encrypted URL Kenneth Peiruza (Jan 30)
- Re: Encrypted URL Ulf Härnhammar (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL David Wall @ Yozons, Inc. (Jan 31)
- RE: Encrypted URL Hephaestus (Jan 30)
- Re: Encrypted URL Daniel Souza (Jan 30)
- Re: Encrypted URL Fogbound Child (Jan 30)
- RE: Encrypted URL scott wood (Jan 30)
- Re: Encrypted URL Mark Curphey (Jan 30)
- Re: Encrypted URL gcb33 (Jan 31)
- RE: Encrypted URL Scovetta, Michael V (Jan 31)
- Re: Encrypted URL Erik Kangas (Jan 31)
- RE: Encrypted URL Dean Saxe (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
- Re: Encrypted URL Fred van Engen (Feb 02)
- Re: Encrypted URL Jeremiah Cornelius (Feb 02)
(Thread continues...)
- Re: Encrypted URL B. Johannessen (Jan 30)