[Valdis Kletnieks]
| And you verify that the digest isn't changed *how*? (Hint - how
| do you keep your attacker from handing you a piece of data along
| with a digest that matches?
We are talking about data that is taking a round-trip to the client in
eg. a hidden field. I think it is common to take one of two following
approaches:
1. Add a digest based on a _server_side_secret_ prepended to the
data. An attacker won't be able to correctly create a matching
digest, unless he also knows the server side secret.
2. Don't pass the data in clear at all, but rather pass it
encrypted. Encryption is of course done using a password only
known at the server.
Of course, the best thing is not to pass the data at all (keep it on
the server), but that's not always possible.
| > * Automatically checking the length of input where possible.
|
| In general, not doable outside of a strongly typed language - how
| does the API "know" that the maximum allowed length of a string is
| 37?
It must be stated somewhere, of course. Lengths are often stated
somewhere. In the database definition for instance (if we're talking
about databases). Personally, I think it would be a good idea to
describe the data model in such a generic format that it would be
possible to:
* build CREATE TABLE statments from it
* generate code that eg. checks length and type restrictions from it
Change the data model, type "make", and everything works as expected.
| Note that this is particularly tricky if (for instance) you're
| writing in Perl, which doesn't have an inherent maximum length,
| but you're eventually passing it to an Oracle database that has
| '37' as the length..
Why is it tricky? If you're somehow able to force the input through
substr($input, 0, 37), you have restricted it's length.
I'm quite certain I wouldn't create the new platform I'm dreaming
about with Perl as the basis, though.
| Hmm.. and the LDAP schemas, and the Oracle table definitions,
| and..... It's a lot harder to do than it looks
Yes, I know. Otherwise I would have built this platform two years ago
when I started playing with parts of it in my head.
| and usually just having good programming standards will do 95% of
| what's needed....
Yes, but then you need the programmers to understand why those
standards are in place, and why they should never, for any reason,
write code that conflicts the standards. My experience is that in
larger projects with many programmers on and off, that isn't doable.
Sverre.
--
shhat_private Computer Geek? Try my Nerd Quiz
http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 11:51:47 PDT