a couple of security related questions
Posted: Thu Dec 20, 2007 12:27 am
1) Are images as easily sniffed (and converted into viewable data) by the bad guys as POST data?
2) I'm using a sort of challenge response system, except without the challenge. I'm allowing people to password protect a news post without registering or having an account. I use the SHA256 library to hash their password before being sent off for processing by filling a hidden form field with this hash and emptying the password box before submit. This of course requires javascript to be enabled, and if it's not, I will deny them the ability to post unless they have javascript on, for now. I know this is illegal in some locales.. is it legal in the US? I will work on an SSL implementation at some point in the future.
3) If I plainly expose my salting scheme in the javascript, does this make brute force easier on would be attackers? If so, how can I get around this, when I'm using javascript to do the hashing?
4) Say someone were to brute-force, does tokenizing (ie, making a token, storing it in a database, and checking it on submit) my form GUARANTEE that the form submission came from this web site?
This is not how I would normally do things, but I'm working with a client that INSISTS on doing it this way (at least it's nice to finally have a client who knows what he's talking about
). I'm just trying to make sure I give him as secure of an application as I can, the way he wants it.
2) I'm using a sort of challenge response system, except without the challenge. I'm allowing people to password protect a news post without registering or having an account. I use the SHA256 library to hash their password before being sent off for processing by filling a hidden form field with this hash and emptying the password box before submit. This of course requires javascript to be enabled, and if it's not, I will deny them the ability to post unless they have javascript on, for now. I know this is illegal in some locales.. is it legal in the US? I will work on an SSL implementation at some point in the future.
3) If I plainly expose my salting scheme in the javascript, does this make brute force easier on would be attackers? If so, how can I get around this, when I'm using javascript to do the hashing?
4) Say someone were to brute-force, does tokenizing (ie, making a token, storing it in a database, and checking it on submit) my form GUARANTEE that the form submission came from this web site?
This is not how I would normally do things, but I'm working with a client that INSISTS on doing it this way (at least it's nice to finally have a client who knows what he's talking about