Re: [WebDNA] Encode cookies ONLY via "method=Base64"

This WebDNA talk-list message is from

2008


It keeps the original formatting.
numero = 101265
interpreted = N
texte = > Try "hiding" the value inside a longer string and then > use getchars to get the true value. That's my plan at the moment. My current thoughts are to take this approach: Insert each of the user/pass chars into specified locations within a very long string of random characters. Example, I create a string of 500 random chars, then I replace the chars that exist in "certain positions" with my original user/pass chars. For example, if the user value is "someusername" I will use each of those 12 chars, one at a time, to replace one char in a pre-specified position in the string of 500 chars. Same with the pass value. Then I use Base64 to further encode it before setting the result as a cookie value. So the hacker has a problem: First he must realize that the cookie is Base64 encoded and decode it. Then he will see a string of 500 chars to further decode, but he doesn't know how many chars are in the user/pass values, nor does he know which of the 500 positions those chars occupy. I think this should work until WebDNA can handle encrypted cookies properly. Do any of you see potential problems with this approach? Sincerely, Ken Grome > Ken > > Try "hiding" the value inside a longer string and then > use getchars to get the true value > > I resorted to this technique some time ago when I ended > up with problems. > > Stuart > > On 27/10/2008, at 10:02 AM, Kenneth Grome wrote: > >> sometimes a second decrypt and/or unurl > >> is needed. > > > > A different number of decrypts and encrypts never > > works, you must always use the same number of these > > contexts. A different number of urls and unurls is > > definitely necessary > > > > sometimes: > >> Syntax reminder on variable (straight), and database > >> encryption: > >> Straight encryption: same amount of [url]'s going in > >> as comming out > >> Database encryption: one more [url] going in > >> than comming out > > > > Right, thanks for the reminder. > > > > With the cookies I first tried the same number of urls > > and unurls but it was failing, so then I tried using > > one more url going in -- because I thought that *maybe* > > using cookies is similar to using a database. But this > > theory was wrong because an extra url with cookies does > > not fix the problem like it does with a database. > > > >> Could you please tell us what server you're using? > > > > My client's Windows server running WebDNA 6.? > > > >> I have found the same thing as Ken has, and that it > >> is on our list of potential bugs that we are > >> addressing. The scope appears to be only in cookie and > >> orderfile interaction so far. > > > > Orderfile too? > > > > Thanks Donovan, that's two scopes we should avoid when > > using the standard WebDNA encryption. Too bad though, > > since I want to use encrypted cookies for security > > reasons. > > > > > > PROBABLE CONCLUSION: > > > > Although Base64 is an encoding method (not an > > encryption method) it is the ONLY method that actually > > works when trying to obfuscate cookie values. > > > > Base64 is certainly not secure like an encrypted value > > might be, but it is better than nothing I guess. I > > tested all methods using cookies with the following > > results: > > > > standard webdna encryption --> fails 1/4 of the time > > method=CyberCash --> cannot be decrypted > > method=APOP --> cannot be decrypted > > method=Base64 --> 100% reliable in dozens of tests > > > > > > Sincerely, > > Ken Grome > > ------------------------------------------------------- > >-- This message is sent to you because you are > > subscribed to the mailing list . > > To unsubscribe, E-mail to: > > archives: http://mail.webdna.us/list/talk@webdna.us > > old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  2. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2012)
  3. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime Inc, Matthew A Perosi " 2012)
  4. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Govinda 2012)
  5. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  6. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  7. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  8. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  9. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  10. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  11. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  12. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  13. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  14. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Gary Krockover" 2008)
  15. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  16. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  17. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  18. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  19. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  20. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  21. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Patrick McCormick 2008)
  22. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  23. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  24. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Christer Olsson 2008)
  25. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  26. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  27. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  28. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  29. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  30. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  31. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  32. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  33. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
  34. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  35. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  36. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  37. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  38. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  39. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  40. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  41. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  42. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  43. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  44. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
  45. [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
> Try "hiding" the value inside a longer string and then > use getchars to get the true value. That's my plan at the moment. My current thoughts are to take this approach: Insert each of the user/pass chars into specified locations within a very long string of random characters. Example, I create a string of 500 random chars, then I replace the chars that exist in "certain positions" with my original user/pass chars. For example, if the user value is "someusername" I will use each of those 12 chars, one at a time, to replace one char in a pre-specified position in the string of 500 chars. Same with the pass value. Then I use Base64 to further encode it before setting the result as a cookie value. So the hacker has a problem: First he must realize that the cookie is Base64 encoded and decode it. Then he will see a string of 500 chars to further decode, but he doesn't know how many chars are in the user/pass values, nor does he know which of the 500 positions those chars occupy. I think this should work until WebDNA can handle encrypted cookies properly. Do any of you see potential problems with this approach? Sincerely, Ken Grome > Ken > > Try "hiding" the value inside a longer string and then > use getchars to get the true value > > I resorted to this technique some time ago when I ended > up with problems. > > Stuart > > On 27/10/2008, at 10:02 AM, Kenneth Grome wrote: > >> sometimes a second decrypt and/or unurl > >> is needed. > > > > A different number of decrypts and encrypts never > > works, you must always use the same number of these > > contexts. A different number of urls and unurls is > > definitely necessary > > > > sometimes: > >> Syntax reminder on variable (straight), and database > >> encryption: > >> Straight encryption: same amount of [url]'s going in > >> as comming out > >> Database encryption: one more [url] going in > >> than comming out > > > > Right, thanks for the reminder. > > > > With the cookies I first tried the same number of urls > > and unurls but it was failing, so then I tried using > > one more url going in -- because I thought that *maybe* > > using cookies is similar to using a database. But this > > theory was wrong because an extra url with cookies does > > not fix the problem like it does with a database. > > > >> Could you please tell us what server you're using? > > > > My client's Windows server running WebDNA 6.? > > > >> I have found the same thing as Ken has, and that it > >> is on our list of potential bugs that we are > >> addressing. The scope appears to be only in cookie and > >> orderfile interaction so far. > > > > Orderfile too? > > > > Thanks Donovan, that's two scopes we should avoid when > > using the standard WebDNA encryption. Too bad though, > > since I want to use encrypted cookies for security > > reasons. > > > > > > PROBABLE CONCLUSION: > > > > Although Base64 is an encoding method (not an > > encryption method) it is the ONLY method that actually > > works when trying to obfuscate cookie values. > > > > Base64 is certainly not secure like an encrypted value > > might be, but it is better than nothing I guess. I > > tested all methods using cookies with the following > > results: > > > > standard webdna encryption --> fails 1/4 of the time > > method=CyberCash --> cannot be decrypted > > method=APOP --> cannot be decrypted > > method=Base64 --> 100% reliable in dozens of tests > > > > > > Sincerely, > > Ken Grome > > ------------------------------------------------------- > >-- This message is sent to you because you are > > subscribed to the mailing list . > > To unsubscribe, E-mail to: > > archives: http://mail.webdna.us/list/talk@webdna.us > > old archives: http://dev.webdna.us/TalkListArchive/ > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ Kenneth Grome

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Major Security Hole (1998) change the number format (1997) Lot entry (1999) Setting user/password with a form. (2000) WebDNA Solutions ... sorry! (1997) Need Web Cat Hosting ASAP (2000) Problem (1997) WebCat2 - [include] tags (1997) show all problem (1997) Card clearance, problems - solutions? (1997) syntax question, not in online refernce (1997) well sort of - database design (2003) Re:PCS Customer submissions ? (1997) [setcookie] (2001) Security hole in WebCat? (1999) Site Builder & IE Mac (2004) Date search bug (1998) Multiple cart additions (1997) Re:Emailer Set Up (1997) WebCatalog NT beta 18 now available (1997)