Full Disclosure mailing list archives
Re: NSRG-Security SaS Encryption cracked
From: Valdis.Kletnieks () vt edu
Date: Wed, 15 Oct 2003 12:44:58 -0400
On Wed, 15 Oct 2003 01:55:10 CDT, Paul Tinsley <pdt () jackhammer org> said:
full-disclosure it inspired me to audit a few websites myself. I started with the author of all the IMHO frivolous postings and found that he "encrypted" his website with something called SaS that his group wrote.
Since the transmitted HTML needs to be (eventually) interpreted as HTML, there are only two basic options: 1) Settle for mere obfuscation and a snippet of reverse-engineerable Javascript or similar that decodes the obfuscated input to HTML that the browser will accept. 2) Use a public-key or shared-secret system wherein each client gets a potentially different version of the page (note that this includes the case of an HTTP authentication failing and giving you an error page). Again, to repeat - without some sort of per-client unique key, all you can do is obfuscate, and said obfuscation has to be done in a programmable reversible way to be at all useful.
Attachment:
_bin
Description:
Current thread:
- NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)
- Re: NSRG-Security SaS Encryption cracked John Sage (Oct 15)
- Re: NSRG-Security SaS Encryption cracked Valdis . Kletnieks (Oct 15)
- <Possible follow-ups>
- Re: NSRG-Security SaS Encryption cracked Paul Tinsley (Oct 15)