Name: Keith Gaughan
Member since: 2005-01-13 01:46:31
Last Login: N/A



Recent blog entries by hereticmessiah

'Lo, kids! I've got another algorithm I want to idiot check. This one's a way of ensuring that a bunch of data passed in a form can't be tampered with easily.

Ok. Say you're pulling some bunch of data in response to a search from some external source. Some of this data includes things like prices, discounts, and the like. It's not important that this information is invisible to a potential (malicious or otherwise) user, but it's important that it can't be tampered with. Because there's no easy way for the receiving page to validate the data, we need to mark it somehow.

A checksum is out of the question: too easy. However, the software is web-based, so we could store some kind of a hidden key in a session variable. We could then concatenate the contents of each one of the form fields that must not be alterable, and append the hidden key onto the start or end. We could then hash the resulting string to generate a fingerprint to be passed with the form. Checking the code would mean reassembling the string from the form fields and the key, hashing the result, and comparing it to the fingerprint.

The hidden key would have to be something fairly random, like a fairly strong random number generator, or even a UUID. It's not sufficient to use one single static key for the whole application, as this could be too easily found out. Nor is it ideal to have a periodically (regenerated after the application times out from lack of use) refreshed one. Though the latter might suffice, it's still potentially shared between a large number of hosts, and could be cracked by somebody determined enough.

So a session is the only way. This is tied to one client, and even if some kind of attack is made to try to decipher the key, throttling could be put in place to make sure they can't do much, and if they do they'll be noticed.

So, does anybody see any flaws in this? It's a simple enough (and frankly, fairly obvious) scheme. I'd be unsurprised if I'm not the first person to come up with this.

I'd appreciate any feedback.

Ooh! badvogato rated me as master! I'm not sure I deserve it though. And kudos to MartySchrader for certifying me too.

Having has a crappy fortnight struggling to interface with Cendant's Galileo system for work (partly because it's sadistic, and partly because I'm stupid), and a whole bunch of other crappy work-related crap, I'm now sweating like a pig, sitting behind the counter of a boiling hot gaming café. I've been run off my feet all day, and now all I want to do is sleep. Helping out friends sucks! :-)

Meanwhile, I'm finding hacking on the software to drive the FusionWiki site more fun than hacking on the project itself! The small CMS I started hacking together is beginning to take on a life of its own!

Well, I've recertified everybody who I'd given certification to in the past, but, of course, the old certifications I got still aren't showing up. Thanks to gilbou and salmoni for certifying me as Journeyer.

13 Jan 2005 (updated 13 Jan 2005 at 01:57 UTC) »

Something very, very odd's after happening.

Very odd. Worrying, even.

My Advogato account disappeared.

Not completely, mind you.

FusionWiki was still listed with me as lead developer. Quite odd.

So I created a new account under the same name, and lo and behold, all my diary entries were still there.

But all the certification was gone. Disappeared. Kaput.

Any of the certification I'd given to others was gone, and all the certification I'd got was gone.

And all this happened without any notice.

So, did mod_virgule cough up a furball, or did I say something?


30 Dec 2004 (updated 30 Dec 2004 at 07:08 UTC) »

I really need to get my shit together and just do stuff rather than procrastinating all the time. Come to think of it, what am I doing here? I'm supposed to be hacking some webservices together. :-(

Preemptive new year's resolution: cut back on the number of feeds and mailing lists I'm on until I feel I'm productive again. Less bloody browsing! And worship Merlin Mann as the god he surely is. And read Gaping Void a bit more

18 older entries...


hereticmessiah certified others as follows:

  • hereticmessiah certified salmoni as Journeyer
  • hereticmessiah certified returnoftheredi as Journeyer
  • hereticmessiah certified dorward as Journeyer
  • hereticmessiah certified badvogato as Master
  • hereticmessiah certified Bram as Master
  • hereticmessiah certified hypatia as Journeyer
  • hereticmessiah certified MartySchrader as Journeyer
  • hereticmessiah certified mwh as Master
  • hereticmessiah certified Akira as Journeyer
  • hereticmessiah certified sisob as Master
  • hereticmessiah certified hereticmessiah as Journeyer
  • hereticmessiah certified cmiller as Journeyer
  • hereticmessiah certified titus as Journeyer
  • hereticmessiah certified gnutizen as Journeyer
  • hereticmessiah certified fxn as Master
  • hereticmessiah certified Penix as Apprentice
  • hereticmessiah certified lerdsuwa as Journeyer
  • hereticmessiah certified dangermaus as Journeyer
  • hereticmessiah certified lkcl as Master
  • hereticmessiah certified Inoshiro as Journeyer
  • hereticmessiah certified kuro5hin as Master

Others have certified hereticmessiah as follows:

  • salmoni certified hereticmessiah as Journeyer
  • hereticmessiah certified hereticmessiah as Journeyer
  • MartySchrader certified hereticmessiah as Journeyer
  • badvogato certified hereticmessiah as Master
  • gnutizen certified hereticmessiah as Journeyer
  • fxn certified hereticmessiah as Journeyer
  • titus certified hereticmessiah as Journeyer
  • lerdsuwa certified hereticmessiah as Journeyer
  • michael383 certified hereticmessiah as Journeyer
  • chakie certified hereticmessiah as Journeyer
  • hiddenpower certified hereticmessiah as Journeyer

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page