[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] problem with form-data (get/post)




Brute force is brute force.  Think of the program crack.  Instead of
passing the cleartext password, you des3 the password and send it.  It
might take slightly longer to generate the URL, but I am guessing that the
client would not be the bottleneck on the request.

Brian
--
Brian T. Wightman                suppressed
Global Data Management          http://pdm.cg.jci.com/
Johnson Controls, Controls Group          (414) 524-4025


|---------+---------------------------->
|         |           suppressed   |
|         |                            |
|         |           06/18/2004 04:15 |
|         |           AM               |
|         |                            |
|---------+---------------------------->
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                                  |
  |       To:       suppressed                                                                                                         |
  |       cc:                                                                                                                                        |
  |       Subject:  Re: [cgiapp] problem with form-data (get/post)                                                                                   |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|




Hi,

the only reason that i'm encrypting the password is to prevent a
possible bruteforce-attack like:
myURL/cgi-bin/myloginscript.cgi?pass=xxx

With an encrypted value of pass it is highly unlikly to get the right
value - or am I wrong?

Jan




suppressed wrote:

>
>
>As an aside (but related), what is the value of submitting a TripleDES
>encoded password over a clear (HTTP) session?  At the time of submit it
>just becomes a token that the web server reads, runs through a function to
>validate it, and lets it go from there on.
>
>Maybe I am being thick, but if you send an encrypted password or a
>plaintext password, isn't it still just a repayable token?  I am having a
>hard time coming up with a scenario where this would buy you more
security.
>
>Brian
>--
>Brian T. Wightman                suppressed
>Global Data Management          http://pdm.cg.jci.com/
>Johnson Controls, Controls Group          (414) 524-4025
>
>
>|---------+---------------------------->
>|         |           suppressed   |
>|         |                            |
>|         |           06/17/2004 02:32 |
>|         |           AM               |
>|         |                            |
>|---------+---------------------------->
>
>--------------------------------------------------------------------------------------------------------------------------------------------------|

>  |
|
>  |       To:       suppressed
|
>  |       cc:
|
>  |       Subject:  Re: [cgiapp] problem with form-data (get/post)
|
>
>--------------------------------------------------------------------------------------------------------------------------------------------------|

>
>
>
>
>Hi,
>
>maxlength is already set in the input field with a value of 256 (that
>should be enough).
>
>Greets
>Jan
>
>
>Alexander Becker wrote:
>
>
>
>>>Hi,
>>>
>>>i'm having trouble with a cgi-program of mine and can't find a way to
>>>solve it.
>>>Here it is:
>>>In an simple form i type in a password. This is encrypted via TripleDES.
>>>The encrypted password is sent over the submit-button (POST or GET, both
>>>have the same problem).
>>>Everything works fine when i use mozilla or IE as browser.
>>>But with Opera, Konquerer or Lynx as browser the password field is cut
>>>off.
>>>
>>>Here a little example:
>>>
>>>with mozilla 1.7/IE 6:
>>>pass=%D6%03%A0%D7%B0%3F0%FD
>>>
>>>with opera 7.5:
>>>pass=%D6%03
>>>
>>>with lynx:
>>>pass=%D6%A0%D7%B0%3F0%FD
>>>
>>>Has anyone an idea why each browser handle the encoded value in his own
>>>way?
>>>
>>>Thanks for any tips.
>>>
>>>Greets
>>>Jan
>>>
>>>---------------------------------------------------------------------
>>>Web Archive:  http://www.mail-archive.com/suppressed/
>>>             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
>>>To unsubscribe, e-mail: suppressed
>>>For additional commands, e-mail: suppressed
>>>
>>>
>>>
>>>
>>>
>>Perhaps you set a length-attribute to the input-field?
>>Serval Browsers interpret it in their own way.
>>Greets, A. Becker (sry for typos)
>>
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>Web Archive:  http://www.mail-archive.com/suppressed/
>              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
>To unsubscribe, e-mail: suppressed
>For additional commands, e-mail: suppressed
>
>
>
>
>
>
>


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed





---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.