Re: Web Site Decrypting
From: DaveK (firstname.lastname@example.org)
- Next message: Jason Hood: "Re: Is there a free version of BlackIce?"
- Previous message: DaveK: "Re: FREE INTERNET"
- In reply to: Vlad Tsyrklevich: "Re: Web Site Decrypting"
- Next in thread: Mimic: "Re: Web Site Decrypting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "DaveK" <email@example.com> Date: Wed, 12 Feb 2003 00:00:09 -0000
"Vlad Tsyrklevich" <firstname.lastname@example.org> wrote in message
> On Sat, 08 Feb 2003 08:07:02 -0800, Scott wrote:
> > Good Day,
> > I am going to encrypt the parms that I pass around on my website for
> > page-to-page communication. (i.e. www.blahblah.com?num=FD8SA66F98S). It
> > would be painfully obvious to most what value I was encrypting (order
> > no.).
> > Would knowing the clear text value AND the encrypted value help someone
> > learn my encrypting key?
> Yes, you can encrypt their password with their password as the key and
> that will make stop that issue :-).
Best thing would be to encrypt a session key with the pw (or a hash of it)
as a symmetric key and let it be decrypted - or not - at the user's end by
using the pw again.
> > I use a fairly standard encrypting method set to 128-bit.
> You might want to use POST method instead of GET because it's much safer
> (ie. no paramater tampering)
Nonsense. It's as easy to forge a POST as it is to rewrite the HTML of a
validation. Never trust anything you receive from a client.
-- moderator of alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow Burn your ID card! http://www.optional-identity.org.uk/ Help support the campaign, copy this into your .sig! Proud Member of the Exclusive "I have been plonked by Davee because he thinks I'm interesting" List Member #<insert number here> Master of Many Meowing Minions Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above and beyond the call of hilarity. PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD