Re: [WebDNA] Encode cookies ONLY via "method=Base64"

This WebDNA talk-list message is from

2008


It keeps the original formatting.
numero = 101265
interpreted = N
texte = > Try "hiding" the value inside a longer string and then > use getchars to get the true value. That's my plan at the moment. My current thoughts are to take this approach: Insert each of the user/pass chars into specified locations within a very long string of random characters. Example, I create a string of 500 random chars, then I replace the chars that exist in "certain positions" with my original user/pass chars. For example, if the user value is "someusername" I will use each of those 12 chars, one at a time, to replace one char in a pre-specified position in the string of 500 chars. Same with the pass value. Then I use Base64 to further encode it before setting the result as a cookie value. So the hacker has a problem: First he must realize that the cookie is Base64 encoded and decode it. Then he will see a string of 500 chars to further decode, but he doesn't know how many chars are in the user/pass values, nor does he know which of the 500 positions those chars occupy. I think this should work until WebDNA can handle encrypted cookies properly. Do any of you see potential problems with this approach? Sincerely, Ken Grome > Ken > > Try "hiding" the value inside a longer string and then > use getchars to get the true value > > I resorted to this technique some time ago when I ended > up with problems. > > Stuart > > On 27/10/2008, at 10:02 AM, Kenneth Grome wrote: > >> sometimes a second decrypt and/or unurl > >> is needed. > > > > A different number of decrypts and encrypts never > > works, you must always use the same number of these > > contexts. A different number of urls and unurls is > > definitely necessary > > > > sometimes: > >> Syntax reminder on variable (straight), and database > >> encryption: > >> Straight encryption: same amount of [url]'s going in > >> as comming out > >> Database encryption: one more [url] going in > >> than comming out > > > > Right, thanks for the reminder. > > > > With the cookies I first tried the same number of urls > > and unurls but it was failing, so then I tried using > > one more url going in -- because I thought that *maybe* > > using cookies is similar to using a database. But this > > theory was wrong because an extra url with cookies does > > not fix the problem like it does with a database. > > > >> Could you please tell us what server you're using? > > > > My client's Windows server running WebDNA 6.? > > > >> I have found the same thing as Ken has, and that it > >> is on our list of potential bugs that we are > >> addressing. The scope appears to be only in cookie and > >> orderfile interaction so far. > > > > Orderfile too? > > > > Thanks Donovan, that's two scopes we should avoid when > > using the standard WebDNA encryption. Too bad though, > > since I want to use encrypted cookies for security > > reasons. > > > > > > PROBABLE CONCLUSION: > > > > Although Base64 is an encoding method (not an > > encryption method) it is the ONLY method that actually > > works when trying to obfuscate cookie values. > > > > Base64 is certainly not secure like an encrypted value > > might be, but it is better than nothing I guess. I > > tested all methods using cookies with the following > > results: > > > > standard webdna encryption --> fails 1/4 of the time > > method=CyberCash --> cannot be decrypted > > method=APOP --> cannot be decrypted > > method=Base64 --> 100% reliable in dozens of tests > > > > > > Sincerely, > > Ken Grome > > ------------------------------------------------------- > >-- This message is sent to you because you are > > subscribed to the mailing list . > > To unsubscribe, E-mail to: > > archives: http://mail.webdna.us/list/talk@webdna.us > > old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  2. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2012)
  3. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime Inc, Matthew A Perosi " 2012)
  4. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Govinda 2012)
  5. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  6. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  7. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  8. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  9. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  10. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  11. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  12. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  13. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  14. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Gary Krockover" 2008)
  15. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  16. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  17. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  18. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  19. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  20. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  21. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Patrick McCormick 2008)
  22. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  23. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  24. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Christer Olsson 2008)
  25. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  26. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  27. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  28. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  29. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  30. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  31. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  32. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  33. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
  34. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  35. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  36. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  37. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  38. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  39. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  40. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  41. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  42. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  43. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  44. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
  45. [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
> Try "hiding" the value inside a longer string and then > use getchars to get the true value. That's my plan at the moment. My current thoughts are to take this approach: Insert each of the user/pass chars into specified locations within a very long string of random characters. Example, I create a string of 500 random chars, then I replace the chars that exist in "certain positions" with my original user/pass chars. For example, if the user value is "someusername" I will use each of those 12 chars, one at a time, to replace one char in a pre-specified position in the string of 500 chars. Same with the pass value. Then I use Base64 to further encode it before setting the result as a cookie value. So the hacker has a problem: First he must realize that the cookie is Base64 encoded and decode it. Then he will see a string of 500 chars to further decode, but he doesn't know how many chars are in the user/pass values, nor does he know which of the 500 positions those chars occupy. I think this should work until WebDNA can handle encrypted cookies properly. Do any of you see potential problems with this approach? Sincerely, Ken Grome > Ken > > Try "hiding" the value inside a longer string and then > use getchars to get the true value > > I resorted to this technique some time ago when I ended > up with problems. > > Stuart > > On 27/10/2008, at 10:02 AM, Kenneth Grome wrote: > >> sometimes a second decrypt and/or unurl > >> is needed. > > > > A different number of decrypts and encrypts never > > works, you must always use the same number of these > > contexts. A different number of urls and unurls is > > definitely necessary > > > > sometimes: > >> Syntax reminder on variable (straight), and database > >> encryption: > >> Straight encryption: same amount of [url]'s going in > >> as comming out > >> Database encryption: one more [url] going in > >> than comming out > > > > Right, thanks for the reminder. > > > > With the cookies I first tried the same number of urls > > and unurls but it was failing, so then I tried using > > one more url going in -- because I thought that *maybe* > > using cookies is similar to using a database. But this > > theory was wrong because an extra url with cookies does > > not fix the problem like it does with a database. > > > >> Could you please tell us what server you're using? > > > > My client's Windows server running WebDNA 6.? > > > >> I have found the same thing as Ken has, and that it > >> is on our list of potential bugs that we are > >> addressing. The scope appears to be only in cookie and > >> orderfile interaction so far. > > > > Orderfile too? > > > > Thanks Donovan, that's two scopes we should avoid when > > using the standard WebDNA encryption. Too bad though, > > since I want to use encrypted cookies for security > > reasons. > > > > > > PROBABLE CONCLUSION: > > > > Although Base64 is an encoding method (not an > > encryption method) it is the ONLY method that actually > > works when trying to obfuscate cookie values. > > > > Base64 is certainly not secure like an encrypted value > > might be, but it is better than nothing I guess. I > > tested all methods using cookies with the following > > results: > > > > standard webdna encryption --> fails 1/4 of the time > > method=CyberCash --> cannot be decrypted > > method=APOP --> cannot be decrypted > > method=Base64 --> 100% reliable in dozens of tests > > > > > > Sincerely, > > Ken Grome > > ------------------------------------------------------- > >-- This message is sent to you because you are > > subscribed to the mailing list . > > To unsubscribe, E-mail to: > > archives: http://mail.webdna.us/list/talk@webdna.us > > old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Sku numbers (1997) Order not created error (1997) 5.0 tips etc (2003) Paths relative to root not working (2000) Shopping Cart Problems (2000) Bugs still *not* fixed as promised ... (2000) Banners and sort of random display (1997) Purchased cart being overwritten - still !?? (1997) tabs as delimiters (2004) Search results templates (1996) W* 3.x & WebCat + WebMerchant (1998) SetHeader not Working (2006) psst (1997) Keep away (1997) WebCatalog 4.0 has been released! (2000) Site Specific Shopping Cart folder and Orderfiles (2000) WebCatalog Technical Reference (1997) Opps, message about deleting (2000) NT vs Mac (1997) Site Test Please (2005)