WebApp Sec mailing list archives
re: advice needed - secure transfer of client details
From: Tim James <jimtames () yahoo com>
Date: Fri, 5 Nov 2004 14:39:55 +0000 (GMT)
Hey everyone, A massive thank you to everyone that took the time to consider my problem, which I stated at the time as "securing the transfer of details from an untrusted client to a trusted server". I received many replies, all thought-provoking and many of them that must have taken serious consideration. Many people pointed out, as often happens, that I was probably asking the wrong question, and that I needed to think about what I was trying to achieve - what assets were being protected? What was the cost of leaving them unprotected? Well, I can't really answer that last question in this forum but the first question made me realise that I had two main requirements. Firstly, that only authorised workstations could use my web application, and secondly, that the data the workstations supplied to the server were accurate and not interfered with or fabricated. The quality of answers was amazing. Some people took the question onto new levels - thanks Glenn and Keith ! - and others kept it simple (stand up Andrew Sledge!) What I've learned is.... 1) Some form of digital certificate on each authorised client goes a long way towards increased trust of the client. Combine this with access control to the authorised workstations to prevent exporting of certificates and impersonating an authorised workstation is getting much harder. 2) An applet is not the right way to generate the transfer of workstation details. 3) If you must transfer the details, use something which is difficult to reverse engineer. 4) Try and avoid having to transfer any details if you can - maybe by pre-registering the workstation details in a secure way. Still more questions than answers but I'm a lot further forward. Thanks again, Tim ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
Current thread:
- New Whitepaper - "Second-order Code Injection Attacks", (continued)
- New Whitepaper - "Second-order Code Injection Attacks" WebAppSecurity [Technicalinfo.net] (Nov 01)
- Re: advice needed - secure transfer of client details Peter Conrad (Nov 01)
- Re: advice needed - secure transfer of client details Ido Rosen (Nov 01)
- Re: advice needed - secure transfer of client details focus (Nov 01)
- Re: advice needed - secure transfer of client details GuidoZ (Nov 01)
- Re: advice needed - secure transfer of client details Alex Russell (Nov 01)
- Re: advice needed - secure transfer of client details Richard Moore (Nov 05)
- RE: advice needed - secure transfer of client details Michael Silk (Nov 01)
- RE: advice needed - secure transfer of client details Scovetta, Michael V (Nov 01)
- RE: advice needed - secure transfer of client details Glenn_Everhart (Nov 05)
- re: advice needed - secure transfer of client details Tim James (Nov 05)