- From: Roger Hågensen <rescator@emsai.net>
- Date: Wed, 05 Jan 2011 17:29:10 +0100
On 2011-01-04 22:59, Seth Brown wrote: > That being said. Granting access to a particular script instead of an > entire site sounds like a reasonable security requirement to me. As > does using a hash to verify that the script you granted permission to > hasn't changed. > > -Seth A hash (any hash in fact, even "secure" ones) can only guarantee that two pieces of data are different! A hash can NEVER guarantee that two pieces of data are the same, this is impossible. A hash can only be used to make a quick assumption that the data probably are the same, thus avoiding expensive byte by byte comparison in cases where the hashes differ. If the hashes are the same then only a byte by byte comparison can guarantee the data are the same. Any cryptography expert worth their salt will agree to the statements above. HTTPS which is continually evolving is a much better solution than just relying on hashes and plain http, I cringe each time I see a "secure" script that is delivered over http which purpose is to encrypt the password you enter and send it to the website. HTTP authentication however isn't so bad if only the damn plaintext "basic" support was fully deprecated AND disallowed, then again now that you can get domain certificates for free that are supported by the major browsers HTTP Authentication is kinda being overshadowed by HTTPS, which is fine I guess. Just please don't "slap a hash on it" and think it's safe, that's all I'm saying really. -- Roger "Rescator" H?gensen. Freelancer - http://www.EmSai.net/
Received on Wednesday, 5 January 2011 08:29:10 UTC