Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Referer (was Patches for wwwboard.pl)

From: lstein () cshl org (Lincoln Stein)
Date: Tue, 13 Oct 1998 10:26:48 -0400

The original article did suggest incorporating the IP address and a
timestamp in the hash function.  The main point of the article was
that using just the Referer field for security was a very bad idea.

I sure hope this thread will be killed soon!

Lincoln

David Schwartz writes:


     You should also be including a timestamp and an originator IP in the hash
function. Otherwise you are vulnerable to interception and replay attacks.
If you're going to do it, you might as well do it right.

     DS


Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC).  A more secure technique
is this:

 $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
@consistency"))

I explain the problems with the original scheme in the October issue
of Web Techniques.

Lincoln

--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================


--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lstein () cshl org                                   Cold Spring Harbor, NY
========================================================================
Previous By Date Next
Previous By Thread Next

Current thread: