WebApp Sec mailing list archives
Fwd: Hash for data in transit
From: Saleh <q8mosfet () gmail com>
Date: Mon, 26 Jul 2010 12:12:34 +0300
---------- Forwarded message ---------- From: Voulnet <voulnet () gmail com> Date: Fri, Jul 23, 2010 at 7:51 PM Subject: Re: Hash for data in transit To: Saleh <q8mosfet () gmail com> That is wrong in a security perspective. The initial asker asked about using it for data integrity between a web app and a browser, a path that is filled with perils and dangers, hence CRC is not really the best option. Using CRC, there is absolutely no way to tell if the message and a newly calculated CRC was created. Actually, if you want to change a little part of the message (such as changing $1,000 to $10,000) the changes to the corresponding CRC are so easy to make and calculate. CRC is better used to check for errors when moving files between hard drives, for example, but for use in a web app, there many better alternatives. When used on the web, a difference of nanoseconds is nothing. You can be sure of that. On Fri, Jul 23, 2010 at 7:27 PM, Saleh <q8mosfet () gmail com> wrote:
---------- Forwarded message ---------- From: Andrew Auernheimer <gluttony () gmail com> Date: Wed, Jul 21, 2010 at 4:08 PM Subject: Re: Hash for data in transit To: Saleh <q8mosfet () gmail com> Cc: Nikhil Wagholikar <visitnikhil () gmail com>, webappsec () securityfocus com Saleh, Your friend is wrong. CRC is absolutely fine for data integrity, which is why SSH uses it. The place where it fails is that it has no way to prevent malicious, engineered data alteration. Which is why you use it with a strong underlying cryptography (just like how SSH does it). Assuming the underlying hash function isn't broken, CRC is just fine. On Wed, Jul 21, 2010 at 3:57 AM, Saleh <q8mosfet () gmail com> wrote:According to one of my friends (voulnet () gmail com) CRC is not that good in data integrity (errors can be masked) HTTPS will do good =D On Wed, Jul 21, 2010 at 5:21 AM, Nikhil Wagholikar <visitnikhil () gmail com> wrote:Hi Richard, CRC is one of the best methods for integrity checking (more precisely 'detection') of data between web server and web browser. In any case, like Robert said, HTTPs will do integrity check for the data. --- Nikhil Wagholikar Senior Consultant Ernst and Young (India) Web: http://www.ey.com/India On 21 July 2010 01:33, <richardhigh () imgva com> wrote:Does anyone know of any tools out there that can be used to ensure the integrity of data while in transit from a web app and a user using a website to enter information? I've heard of Tripwire and ossec but those more for OS or for files at rest. Any ideas are welcomed. Thanks. This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus ---------------------------------------- Saleh Alsanad http://www.google.com/profiles/q8mosfet This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus ---------------------------------------- Saleh Alsanad http://www.google.com/profiles/q8mosfet
-- Saleh Alsanad http://www.google.com/profiles/q8mosfet This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Hash for data in transit richardhigh (Jul 20)
- Re: Hash for data in transit Robert Hajime Lanning (Jul 20)
- Message not available
- Re: Hash for data in transit Robert Hajime Lanning (Jul 21)
- Re: Hash for data in transit Peter M. Jansson (Jul 21)
- Message not available
- Re: Hash for data in transit Robert Hajime Lanning (Jul 20)
- Re: Hash for data in transit Nikhil Wagholikar (Jul 20)
- Re: Hash for data in transit Saleh (Jul 21)
- Message not available
- Message not available
- Message not available
- Fwd: Hash for data in transit Saleh (Jul 26)
- Re: Hash for data in transit Saleh (Jul 21)
- <Possible follow-ups>
- Re: Fwd: Hash for data in transit richardhigh (Jul 27)
- Re: Fwd: Hash for data in transit Robert Hajime Lanning (Jul 28)