Re: Web Site Decrypting

From: DaveK (no.spam@my.mailbox.invalid)
Date: 02/12/03

From: "DaveK" <no.spam@my.mailbox.invalid>
Date: Wed, 12 Feb 2003 00:00:09 -0000

"Vlad Tsyrklevich" <root@> wrote in message
> On Sat, 08 Feb 2003 08:07:02 -0800, Scott wrote:
> > Good Day,
> Hello.
> > I am going to encrypt the parms that I pass around on my website for
> > page-to-page communication. (i.e. It
> > would be painfully obvious to most what value I was encrypting (order
> > no.).
> >
> > Would knowing the clear text value AND the encrypted value help someone
> > learn my encrypting key?
> Yes, you can encrypt their password with their password as the key and
> that will make stop that issue :-).

Best thing would be to encrypt a session key with the pw (or a hash of it)
as a symmetric key and let it be decrypted - or not - at the user's end by
using the pw again.

> > I use a fairly standard encrypting method set to 128-bit.
> You might want to use POST method instead of GET because it's much safer
> (ie. no paramater tampering)

Nonsense. It's as easy to forge a POST as it is to rewrite the HTML of a
webpage to tamper with the form and disable the javascript parameter
validation. Never trust anything you receive from a client.


moderator of
Burn your ID card!
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD