Re: Hash for data in transit

[Robert Hajime Lanning <robert.lanning () gmail com>]

Well, outside of an AES128-SHA1 SSL connection, there really isn't much that can
be done for transit protection.

I would not trust any JavaScript implementation of form data hashing.
Since that is
all modifiable on the client side.

If you can't even trust certificates, how are you going to trust the
client platform?

On Wed, Jul 21, 2010 at 8:26 AM, Richard High <RichardHigh () imgva com> wrote:
> HTTPS is already configured. This doesn't meet the required baseline
> security for web apps. According to published DISA directives.
>
> Richard High Security Engineer, CISSP
> Information Management Group, Inc.
> Richard.A.High () us army mil
> RichardHigh () imgva com
> NSA:rahigh () nsa ic gov
> SIPR: Richard.A.High () us army smil mil
> JWICS: Richard.High () dami ic gov
> Work Location Fairfax: (703)573-5000x401
> Pentagon Fax: (703) 695-3070
> 4050 Legarto Rd Suite 200
> Fairfax, VA 22033
>
> ________________________________
> From: listbounce () securityfocus com on behalf of Robert Hajime Lanning
> Sent: Tue 7/20/2010 6:42 PM
> To: webappsec () securityfocus com
> Subject: Re: Hash for data in transit
>
> On Tue, Jul 20, 2010 at 1:03 PM,  <richardhigh () imgva com> wrote:
> > Does anyone know of any tools out there that can be used to ensure
> > the integrity of data while in transit from a web app and a user
> > using a website to enter information?
>
> https will between the browser and the webserver.

-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------