[8190] in bugtraq
Re: Referer (was Patches for wwwboard.pl)
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Tue Oct 13 15:03:04 1998
Date: Tue, 13 Oct 1998 10:26:48 -0400
Reply-To: lstein@cshl.org
From: Lincoln Stein <lstein@CSHL.ORG>
X-To: David Schwartz <davids@webmaster.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <000001bdf62a$069b43e0$021d85d1@youwant.to>
The original article did suggest incorporating the IP address and a
timestamp in the hash function. The main point of the article was
that using just the Referer field for security was a very bad idea.
I sure hope this thread will be killed soon!
Lincoln
David Schwartz writes:
>
> You should also be including a timestamp and an originator IP in the hash
> function. Otherwise you are vulnerable to interception and replay attacks.
> If you're going to do it, you might as well do it right.
>
> DS
>
> > Even though I wrote this, it turns out that this isn't the best way to
> > compute a message authentication code (MAC). A more secure technique
> > is this:
> >
> > $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
> > @consistency"))
> >
> > I explain the problems with the original scheme in the October issue
> > of Web Techniques.
> >
> > Lincoln
> >
> > --
> > ========================================================================
> > Lincoln D. Stein Cold Spring Harbor Laboratory
> > lstein@cshl.org Cold Spring Harbor, NY
> > ========================================================================
> >
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein@cshl.org Cold Spring Harbor, NY
========================================================================
