Web/php Security

Welcome to Crypto. We hope you enjoy your visit.

You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.

Join our community!

If you're already a member please log in to your account to access all of our features:

Pages:
1
2

Web/php Security
Topic Started: Oct 25 2005, 05:02 PM (592 Views)
insecure	Oct 25 2005, 05:02 PM Post #1
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	How do BBSs like this one manage security? When Alice logs in, what's to stop Eve sniffing the password?



Revelation	Oct 25 2005, 06:40 PM Post #2
Administrator Posts: 386 Group: Admin Member #1 Joined: August 23, 2005	The password is encrypted with MD5. Though, you can still steal her cookie. Note that this does not help you get in the admin panel. You have to login again to access it. Plus, if someone claims that his/her account is hacked, I can check the IP and compare it to the old one. For every post you make or every action a mod does, his/her IP gets logged. This also counts for guests.
	RRRREJMEEEEEPVKLWENFNVJKEEEEEAOLKAFKLXCFZAASDJXZTTTTTTTLSIOWJXMOKLAFJNNKFNXN RAGRBAQEMHIGDJVDSEOXVIYCELFHWLELJFIENXLRATALSJFSLCYTKLASJDKMHGOVOKAJDNMNUITN RRRRLJVEEEEECLYVYHNVPFTAEEEEEMWLMEIRNGLARWJAKJDFLWNTIERJMIPQWOTZEOCXKNUBNXCN RJIRPOWEANFUSNCZVDVZNMSFEKLOEPZLDKDJWSAAAAAAAOERHJCTNCKFRIMVKSOFOMKMANREWNBN RZUDRGXEEEEENFQIDVLQNCKNEEEEEDGLLLLLLAWIOSNCDARLODMTOEJXMILDFJROTKJSDNLVCZNN


insecure	Oct 26 2005, 05:34 AM Post #3
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	I'm asking for a very good reason which has nothing to do with hacking into this site! Well, okay, it sort of does, albeit from the whitehat side of the fence. Thing is, I need something very similar, but I can't work out for the life of me how to get J Random Browser to encrypt something using MD5 - or anything else. Especially given that my users could be using Firefox, Galeon, Konqueror, Lynx, Netscape, that Microsoft thing, Opera, or even Mosaic for all I know. So - what is the HTML tag for "take this challenge, cat your response to it, MD5-hash it, and send it back to the server"?



Donald	Oct 26 2005, 12:17 PM Post #4
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"Insecure" what is the HTML tag for "take this challenge, cat your response to it, MD5-hash it, and send it back to the server"? I don't THINK you can do it that that way. I THINK you have to set up an SSL on the server end. But I speak of things about which I know nothing. And, seeing as how I know nothing, I would have kept my mouth shut. EXCEPT, that I have a question about what MIGHT be possible. Could you create a java applet to do the encryption for you? Applets run on the users machine, so it should be possible to create an applet that does encryption/hashing on each users machine and then sends only the encrypted data over the net to the applet on the other side. Of course, this plan might be hindered by the annoying fact that all of Java's high end encryption routines don't ship with standard Java (Because the folks at SUN are nervous about what happens when the kind people in the U. S. Congress become unhappy) Donald



insecure	Oct 26 2005, 12:38 PM Post #5
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	Oh, that might be fun. In fact, it might even be worth learning Java for. (I tried once, but got bored.) I'm not fussed about the lack of encryption support. As long as it has bignums, that's good enough for me. I think we proved that already. :-) But PHP seems to manage without Java. So I guess I have to learn about SSL. Any pointers?



rot13	Oct 26 2005, 01:00 PM Post #6
Elite member Posts: 306 Group: Trusted Member Member #14 Joined: September 29, 2005	All you need to do with SSL is enable it on your web server and get a signed certificate from some place like Verisign. If you aren't using SSL, there is nothing else you can do to ensure security because you are open to man-in-the-middle attacks, among other things. As far as doing MD5, there are MD5 implementations in Javascript, that might be the easiest thing to run on the browser. Here's one site.



Donald	Oct 26 2005, 01:20 PM Post #7
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"rot13" there is nothing else you can do to ensure security because you are open to man-in-the-middle attacks Ah, true. even if Bob can PROVE he's talking to Alice, he can't prove that Eve isn't intercepting all of the communications between them, AND REPLACING THEM. So Alice sends her number to Bob. Eve intercepts, and replaces it with her own number, and sends it on to Bob. Bob sends back his reply, not realizing that he's actually establishing a secure chanel with EVE, not Alice. Eve keeps the key she's developed with Bob, and sends back a reply to Alice, based on the number Alice sent earlier, and now Eve has established different secure channels with both Alice and Bob. Anything Alice sends, Eve intercepts, reads it with her Alice key, and then re-encrypts it with the BOB key and sends it on. When Bob sends replies, Eve decrypts with the Bob key, reads it, then re-encrypts with the Alice key and sends it on. Other than a slight delay in responses, which should be completely undetectable on the chaotic internet, there is no way for Alice and Bob to know that Eve is listening in on everything they say. Ick!!!!! Ok, but wouldn't Public Key Encryption offer a way around this? IF Alice and Bob both have public keys, and both Alice and Bob KNOW each others public keys, then they could do their D-H exchange with those keys and know that Eve can't intercept. But then, if Alice and Bob have already exchanged public keys, what's the point of the D-H exchange? What a quandry!



insecure	Oct 26 2005, 02:07 PM Post #8
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	Oh, do you mean that I can just enable SSL and then send passwords etc "in clear", on the grounds that SSL is wrapping everything up for me? If so, that would work very nicely. But does this site, for example, use SSL?



Donald	Oct 26 2005, 02:18 PM Post #9
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"insecure" do you mean that I can just enable SSL and then send passwords etc "in clear" Again, I really don't know much about network security and SSL, so hopefully if I'm steering you wrong someone with more knowledge will correct me. As I understand it, you can only enable SSL when you are the SERVER. And when SSL is enabled, you should see a https:// in your browser's URL box. (Mozilla also changes the URL boxes' color and puts a little padlock in the lower right corner of the window) Now it seems to me like I've ALSO seen web sites where the site was not secured, but a single input field was touted as being "SSL" secured. I'm not certain if they were just trying to make you feel good or not. But in general, I assume that any website that doesn't log me in through an https:// web page is getting my logonid and password in the clear. And so, yes, I assume this web site does it's logon in the clear, and there isn't anything you can do on YOUR end that will change that. Donald



insecure	Oct 26 2005, 02:33 PM Post #10
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	Sorry, I wasn't very clear. Let Alice be the client. She might be running any old browser. Let Bob be the server. I am in the position of "writing" Bob - that is, I have to allow Alice (but not Eve or Mallory) to log onto the server to use its services. Here is what I think has been said so far. Bob gets a certificate from MCA (Mallory's Certification Authority - oops, that might have been a mistake! ). Bob enables SSL on Apache. Bob now sits back and waits for all the little Alices to log on. Alice fires up her browser and points at Bob's site. The server provides an SSL-protected connection with the browser, and Alice can now type password-type stuff into a box and click "Wheee!" and be sure that her message will be protected by SSL. From Alice's browser's point of view, nothing special need happen. It's just a straight HTML form, and the POST data is sent in the usual way. From Bob's PHP code's point of view, again, nothing special need happen - it's just form data. And Eve can't get in because SSL is keeping her at bay, with the certificate to prove to Alice that Bob is Bob, and the password to prove to Bob that Alice is Alice. Is that about right? If so, I can get straight on with developing the site, because SSL seems to be addable-onnable afterwards.



Donald	Oct 26 2005, 02:38 PM Post #11
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"Insecure" I can get straight on with developing the site, because SSL seems to be addable-onnable afterwards. Sounds right to me. BUT, I'm really not being any help here. I'll shut up and let someone who KNOWS what they are talking about assist. Donald



rot13	Oct 26 2005, 02:51 PM Post #12
Elite member Posts: 306 Group: Trusted Member Member #14 Joined: September 29, 2005	Quote: Is that about right? If so, I can get straight on with developing the site, because SSL seems to be addable-onnable afterwards. Yes, that is correct. SSL discourages MitM attacks because of the certificate, and discourages eavesdropping with encryption. You can send stuff back and forth with plaintext after that, as long as you don't drop back into regular http. Also, it should be fine to develop the site without ssl. If you REALLY need to be secure, when you turn on SSL, make sure that any session cookies that get set are marked as secure-only.. that is, they only get sent over an SSL connection. There is an attack where someone impersonates your web server and redirects a user to a non-SSL page on the spoofed site to grab the cookies. They are then able to impersonate the user on the SSL site. Another thing you can do if you are keeping session information on the server is to verify the IP address of the client every time, in case someone does manage to swipe a secure cookie.



insecure	Oct 26 2005, 03:05 PM Post #13
Elite member Posts: 381 Group: Trusted Member Member #10 Joined: September 9, 2005	I wasn't planning on using cookies. I hate the thought of getting crumbs everywhere. What do you mean by "drop back into regular http"? Or rather, how do I get out of regular http, and how do I avoid dropping back into it? Hey guys, I'm a C programmer!!!! :-)



rot13	Oct 26 2005, 03:22 PM Post #14
Elite member Posts: 306 Group: Trusted Member Member #14 Joined: September 29, 2005	Quote: What do you mean by "drop back into regular http"? Or rather, how do I get out of regular http, and how do I avoid dropping back into it? If you send a user to an https URL in order to do the password stuff, but then send them back to an http URL afterwards. It is all controlled by the URL. Most of the time, your URLs are relative - they don't contain "http://blahblah", they just have the filename. The browser uses the current protocol & hostname for a relative URL. That way, if the user comes in with https, they'll stay that way unless you specifically send them to a URL that starts with http://. Quote: I wasn't planning on using cookies. I hate the thought of getting crumbs everywhere. Just to make sure you are aware, if you use the sessions in PHP you are using cookies, it stores the session id in a cookie.



Donald	Oct 26 2005, 03:22 PM Post #15
Elite member Posts: 454 Group: Trusted Member Member #8 Joined: September 2, 2005	"insecure" Hey guys, I'm a C programmer!!!! :-) Oh, that's right! Use VERY LITTLE words folks. Donald



1 user reading this topic (1 Guest and 0 Anonymous)


Go to Next Page
« Previous Topic · General · Next Topic »

Pages:
1
2