WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: advice needed - secure transfer of client details

From: "Michael Silk" <michaels () phg com au>
Date: Mon, 1 Nov 2004 09:25:45 +1100
Hi Tim,

        > How can a client communicate details that are only known to
the client, up to a server, 
        > in a way that cannot be tampered with ? Why should a server
trust the supplied values 
        > ? The data for the workstation next to me is known by everyone
- why can't I create an 
        > applet to reproduce those details, and hence impersonate that
workstation ?

        Well what you need here is basically SSL (to secure the transfer
between two previously unrelated clients) + a certificate to identify
the client.

        Obviously, if you can get the information required to identify
yourself as another workstation there is a problem ... So the solution
is to make that information very hard to get ... I.e. consider securing
it's access (the certificate) via some key ... Common systems are
smartcards, etc.

-- Michael


-----Original Message-----
From: Tim James [mailto:jimtames () yahoo com] 
Sent: Friday, 29 October 2004 8:18 PM
To: webappsec () securityfocus com
Subject: advice needed - secure transfer of client details

Hi all,

This is a brain teaser. I have an application to review which supplies
details from the client's workstation (derived from files on disk,
hostname, IP address). It currently implements a Java applet whose job
is to obtain these details and send them up to the server in an ordinary
HTTP POST. 

This sends alarm bells ringing for me. I have developed a simple attack
whereby I can replace the applet at will with my own code, which can
send different details for workstation ID, hostname, IP address. This
falsifies the audit trail from this point on and the server is none the
wiser.

So, the general problem is this :-

How can a client communicate details that are only known to the client,
up to a server, in a way that cannot be tampered with ? Why should a
server trust the supplied values ? The data for the workstation next to
me is known by everyone - why can't I create an applet to reproduce
those details, and hence impersonate that workstation ?

I have some ideas but none are totally satisfactory. 

1) Encrypt the data
This shifts the problem to one of key management.
2) Checksum the applet
3) Keep the details on the server in the first place and supply some
token from the client which cannot be impersonated

I would *really* appreciate a different perspective on this problem
because I'm kind of stalled.....

Thanks a lot

Tim

Send instant messages to your online friends
http://uk.messenger.yahoo.com 




**********************************************************************
This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.
**********************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: