Re: Idea for securityfix in HTML

[snip]

>
> On Sat, Nov 16 '02 at 12:28, Xatr0z wrote:
> > [ ... ] If someone is "sniffing" and get's the HTTP request
> > instead of the HTTP server, he or she doesn't get the password, but it's
> > encrypted (or with MD5, that depends on the HTTP request). Ofcourse, it
> > isn't secure, he or she could trie an dictionary or brute-force attack,
but
> > is is more secure, and I think that's a good thing.
> I don't need to do and brute-force. I can just reuse the SAME md5
> hash/checksum I just sniffed to reauthenticate as a valid user. As we
> have discussed, an MD5 sum can not be "decrypted" into the real
> password, it can only be compatred to a given MD5 sum in the database.
>

Yes you can, but think about registration mechanisms, you can mostly
register yourself only once.

[snip]

> > What do you feel about the idea to create a attribute which allows the
> > client to send an (MD5) checksum of the file, to determine if the
transport
> > went well?
> This does not even add integrity checks for anything but transport
> errors. This should be handled by the transport protocoll (TCP/IP in
> this case) but again read "secrets and lies".

Why should it? On my WWWebsites, I would like to see details about what went
wrong, give my personal errors, etc. I think it is a good idea to insert
this in HTML/XHTML.


Regards,

D. Willems "Xatr0z" <xatr0z at users dot sourceforge dot net>

Received on Sunday, 17 November 2002 05:21:35 UTC