WebApp Sec mailing list archives

Re: Hash for data in transit

From: Richard Moore <rich () westpoint ltd uk>
Date: Wed, 21 Jul 2010 09:34:26 +0100

On 21/07/2010 03:21, Nikhil Wagholikar wrote:

Hi Richard,

CRC is one of the best methods for integrity checking (more
precisely 'detection') of data between web server and web browser.


If the intention is to protect against malicious changes (as the
reference to tripwire suggests) then CRCs would be a very poor choice.
They are vulnable to a range of attacks that allow the data to be
modified whilst the CRC remains valid. If a secure hash is required
then something like SHA-1 or SHA-256 should be used.


In any case, like Robert said, HTTPs will do integrity check for the
data.


This is also true.

Cheers

rich.


--- Nikhil Wagholikar Senior Consultant Ernst and Young (India) Web:
http://www.ey.com/India

On 21 July 2010 01:33,<richardhigh () imgva com>  wrote:


Does anyone know of any tools out there that can be used to ensure
the integrity of data while in transit from a web app and a user
using a website to enter information?

I've heard of Tripwire and ossec but those more for OS or for files
at rest.

Any ideas are welcomed. Thanks.



This list is sponsored by Cenzic
-------------------------------------- Let Us Hack You. Before
Hackers Do! It's Finally Here - The Cenzic Website HealthCheck.
FREE. Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
-------------------------------------- Let Us Hack You. Before
Hackers Do! It's Finally Here - The Cenzic Website HealthCheck.
FREE. Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------



--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!http://www.cenzic.com/2009HClaunch_Securityfocus

--------------------------------------

Current thread:

Hash for data in transit richardhigh (Jul 20)
- Re: Hash for data in transit Robert Hajime Lanning (Jul 20)
  - Message not available
    - Re: Hash for data in transit Robert Hajime Lanning (Jul 21)
    - Re: Hash for data in transit Peter M. Jansson (Jul 21)
- Re: Hash for data in transit Nikhil Wagholikar (Jul 20)
  - Re: Hash for data in transit Saleh (Jul 21)
    - Message not available
    - Message not available
    - Message not available
    - Fwd: Hash for data in transit Saleh (Jul 26)
  - Re: Hash for data in transit Martin Tartarelli (Jul 21)
  - Re: Hash for data in transit Richard Moore (Jul 21)
- RE: Hash for data in transit Jacqueline.Primrose (Jul 21)
- <Possible follow-ups>
- Re: Fwd: Hash for data in transit richardhigh (Jul 27)
  - Re: Fwd: Hash for data in transit Robert Hajime Lanning (Jul 28)