Re: PHP encryption again

Its like the lock on your door, that lock will not keep someone that is 
hell bent on breaking into your house out, instead it keeps the honest 
people and the everyday crook out.

Richard Thomas - CEO
Cyberlot Technologies Group Inc.
507.398.4124 - Voice



Paul Bramscher wrote:

> Allie Micka wrote:
>
> > On Mar 14, 2005, at 2:12 PM, Paul Bramscher wrote:
> >
> > > (1)   While it's impossible to reconstruct the server key by hacking 
> > > into the client, it means that the hacker would instead try to 
> > > emulate the client, focus his efforts there.  That is, spoof all 
> > > information the client is sending to the server.  So it doesn't 
> > > matter what you do server-side to the session ID -- if the hacker 
> > > *perfectly* spoofs the client, any extra precautions taken 
> > > server-side are merely snake oil.
> >
> >
> >
> > Not snake oil at all.  It is true that there's no way a hash or key 
> > will protect you 100% for ever and ever.  But it takes a long time to 
> > derive a session id, and  much longer to derive any other kind of 
> > secondary identification.  The time it takes to derive this info is a 
> > multiple of each level of security.
>
>
> My point is more generic (and mainly theoretical).  Remember the old 
> "mind-reading" trick that goes something like this:
>
> client: pick a number 1 - 100.
> server & client instructions:
> (1)   add 5
> (2)   subtract 3
> (3)   add 1
> (4)   subtract 3
> (5)   subtract the original number
> Now let me guess... You have "0"?
>
> My point was that fully cloning the client puts the hacker into a 
> position where the server-side manipulations, regardless of what they 
> are, will be to no avail.  You can keep adding more steps, but it's 
> pointless.  The hacker has *become* the client in the server's eyes, 
> so any manipulations to the session, etc. will be performed to the 
> hacker identically as for the authenticated user.
>
> But I agree -- unless there's some unknown mathematical weakness with 
> SSL, some sysadmin doesn't catch billions of attempts to hack a 
> session_id, or it becomes all too easy to hack into a client's 
> computer and lift the cookie and spoof the IP, then these arguments 
> are all only theoretical.
>
> So probably any hacker is going to look first at cloning the client 
> before even bothering with an upfront assault on the server.  This is 
> why I prefer linux, since I trust a properly configured linux box far 
> more than an MS box, whose security mechanisms are all closed source 
> and have never met the eye of public scrutiny...
>
> Paul Bramscher
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: talk-unsubscribe-4zcLI8jJc/rYtjvyW6yDsg@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: 
> talk-help-4zcLI8jJc/rYtjvyW6yDsg@xxxxxxxxxxxxxxxx