WebApp Sec mailing list archives
Re: Hash for data in transit
From: Richard Moore <rich () westpoint ltd uk>
Date: Wed, 21 Jul 2010 09:34:26 +0100
On 21/07/2010 03:21, Nikhil Wagholikar wrote:
Hi Richard, CRC is one of the best methods for integrity checking (more precisely 'detection') of data between web server and web browser.
If the intention is to protect against malicious changes (as the reference to tripwire suggests) then CRCs would be a very poor choice. They are vulnable to a range of attacks that allow the data to be modified whilst the CRC remains valid. If a secure hash is required then something like SHA-1 or SHA-256 should be used.
In any case, like Robert said, HTTPs will do integrity check for the data.
This is also true. Cheers rich.
--- Nikhil Wagholikar Senior Consultant Ernst and Young (India) Web: http://www.ey.com/India On 21 July 2010 01:33,<richardhigh () imgva com> wrote:Does anyone know of any tools out there that can be used to ensure the integrity of data while in transit from a web app and a user using a website to enter information? I've heard of Tripwire and ossec but those more for OS or for files at rest. Any ideas are welcomed. Thanks. This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
-- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031 This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- Hash for data in transit richardhigh (Jul 20)
- Re: Hash for data in transit Robert Hajime Lanning (Jul 20)
- Message not available
- Re: Hash for data in transit Robert Hajime Lanning (Jul 21)
- Re: Hash for data in transit Peter M. Jansson (Jul 21)
- Message not available
- Re: Hash for data in transit Robert Hajime Lanning (Jul 20)
- Re: Hash for data in transit Nikhil Wagholikar (Jul 20)
- Re: Hash for data in transit Saleh (Jul 21)
- Message not available
- Message not available
- Message not available
- Fwd: Hash for data in transit Saleh (Jul 26)
- Re: Hash for data in transit Saleh (Jul 21)
- <Possible follow-ups>
- Re: Fwd: Hash for data in transit richardhigh (Jul 27)
- Re: Fwd: Hash for data in transit Robert Hajime Lanning (Jul 28)