Re: Hiding HTML code from being viewed.
From: csima (csima@spidynamics.com)Date: 11/21/01
- Previous message: Dave Vehrs: "RE: Hiding HTML code from being viewed."
- In reply to: McCammon, Keith: "RE: Hiding HTML code from being viewed."
- Next in thread: Paul L Schmehl: "Re: Hiding HTML code from being viewed."
- Reply: Paul L Schmehl: "Re: Hiding HTML code from being viewed."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <006401c172aa$fcb5e370$0701010a@schwag> From: "csima" <csima@spidynamics.com> To: <focus-ms@securityfocus.com> Subject: Re: Hiding HTML code from being viewed. Date: Wed, 21 Nov 2001 11:38:44 -0500
The HTML is munged in transit and is de-munged using javascript, so
telnetting
and grabbing the file won't make any diffrence.
HTML munging by no means is a security measure, but acts
more as a deterrent, it generally just makes it more of a pain in the ass to
web crawl the site or view comments in code
----- Original Message -----
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "Caleb Sima" <csima@spidynamics.com>; <focus-ms@securityfocus.com>
Sent: Wednesday, November 21, 2001 10:52 AM
Subject: RE: Hiding HTML code from being viewed.
[sigh]
telnet www.target.com 80 >>output.html
GET /blabla.htm HTTP/1.0
Open in FrontPage, DreamWeaver, Fusion, etc. to normalize. HTML is
HTML. You can munge the code all you want, but any commercial product
(or even a generic script) can normalize it in less than a second.
I tried to get this by in my last post, but it didn't get accepted. The
short version of my sermon: Hiding HTML is not plausible, nor is it an
effective security measure.
Keith
-----Original Message-----
From: Caleb Sima [mailto:csima@spidynamics.com]
Sent: Tuesday, November 20, 2001 11:16 PM
To: focus-ms@securityfocus.com
Subject: Re: Hiding HTML code from being viewed.
There are HTML encryption products available,
HTML Guardian from ProtWare
http://www.protware.com/
HTML Guard
http://www.aw-soft.com/htmlguard.html
HTML Encrypt
http://share2.com/htmlencr/
HTMLEncrypter
http://goldstone.51.net/product/index.htm
They work in multiple ways from disabling 'view-source' thru javascript
to
obfuscating the code to make it extremely hard to read.
Caleb Sima
csima@spidynamics.com
----- Original Message -----
From: "Kenneth Duran" <KDURAN@pn.usbr.gov>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, November 20, 2001 4:17 PM
Subject: Hiding HTML code from being viewed.
Greetings again,
Thanks for the many responses. My web people tell me 'I told you so!
plubt
(that was a raspberry). You have given me a lot of information to check
out. My main intent was to have just to right amount of information
with
out giving away the farm. So far what I have discovered is that well
trained Web Admins goes along way to limit the un-intended display of
information. They need to keep the information local to the box and not
go
jumping throughout my domain and give address of machines which are
supposed
to be hidden.
Again, thanks and I will check out all of the info and report back as to
what I find.
Kenneth M. Duran
PN Network Security Manager
kduran@pn.usbr.gov
(208)-378-5146
- Previous message: Dave Vehrs: "RE: Hiding HTML code from being viewed."
- In reply to: McCammon, Keith: "RE: Hiding HTML code from being viewed."
- Next in thread: Paul L Schmehl: "Re: Hiding HTML code from being viewed."
- Reply: Paul L Schmehl: "Re: Hiding HTML code from being viewed."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
