Elliott, I have found in my archive what I wanted to explain you (but
my English isn't good enough for word fight) and why your method will
not protect from packets sniffing. It's a 6 min. video on defeating
remote-exploit.com forum client side security. Security implementation
on forum is quite similar to your method and video shows how to defeat
it by using network sniffers.
http://rapidshare.com/files/112803255/Sniff_Forum_Password.rar.html
Just choose "Free", download it and learn. :)
Audrius
> "If I'll get a users password MD5 from cookies,"
> If that information is made available to an attacker, a level of security
> has been bypassed already...
> I am protecting from network eavesdropping (packet sniffers) here.
>
> "It means I must to find a way how to get cookies."
> All web applications suffer this problem, even over SSL. This is NOT what i
> am trying to fix here.
>
> "Actually I do not see any advantages in your method. I think that tokens
> can give the same functionality"
> "Both methods are prone to same attacks"
> Both not true. Tokens can be sniffed and used. My method stops this. That
> is the advantage.
>
>
> "I think you also must concentrate more on other parts of security too"
> I agree, however, any chain is only as strong as it's weakest link... right
> now, that is this issue!
> I have analyzed all aspects of the system including client OS, browser,
> user awareness (all of which we are lucky enough to manage also) :-)
> Priority has been given to this flaw.
Received on May 05 2008
Intro
