Advogato blog for hereticmessiah

31 Jan 2005

Mon, 31 Jan 2005 21:47:23 GMT

'Lo, kids! I've got another algorithm I want to idiot check. This one's a way of ensuring that a bunch of data passed in a form can't be tampered with easily.

Ok. Say you're pulling some bunch of data in response to a search from some external source. Some of this data includes things like prices, discounts, and the like. It's not important that this information is invisible to a potential (malicious or otherwise) user, but it's important that it can't be tampered with. Because there's no easy way for the receiving page to validate the data, we need to mark it somehow.

A checksum is out of the question: too easy. However, the software is web-based, so we could store some kind of a hidden key in a session variable. We could then concatenate the contents of each one of the form fields that must not be alterable, and append the hidden key onto the start or end. We could then hash the resulting string to generate a fingerprint to be passed with the form. Checking the code would mean reassembling the string from the form fields and the key, hashing the result, and comparing it to the fingerprint.

The hidden key would have to be something fairly random, like a fairly strong random number generator, or even a UUID. It's not sufficient to use one single static key for the whole application, as this could be too easily found out. Nor is it ideal to have a periodically (regenerated after the application times out from lack of use) refreshed one. Though the latter might suffice, it's still potentially shared between a large number of hosts, and could be cracked by somebody determined enough.

So a session is the only way. This is tied to one client, and even if some kind of attack is made to try to decipher the key, throttling could be put in place to make sure they can't do much, and if they do they'll be noticed.

So, does anybody see any flaws in this? It's a simple enough (and frankly, fairly obvious) scheme. I'd be unsurprised if I'm not the first person to come up with this.

I'd appreciate any feedback.

16 Jan 2005

Sun, 16 Jan 2005 03:39:34 GMT

Ooh! badvogato rated me as master! I'm not sure I deserve it though. And kudos to MartySchrader for certifying me too.

Having has a crappy fortnight struggling to interface with Cendant's Galileo system for work (partly because it's sadistic, and partly because I'm stupid), and a whole bunch of other crappy work-related crap, I'm now sweating like a pig, sitting behind the counter of a boiling hot gaming café. I've been run off my feet all day, and now all I want to do is sleep. Helping out friends sucks! :-)

Meanwhile, I'm finding hacking on the software to drive the FusionWiki site more fun than hacking on the project itself! The small CMS I started hacking together is beginning to take on a life of its own!

13 Jan 2005

Thu, 13 Jan 2005 18:57:45 GMT

Well, I've recertified everybody who I'd given certification to in the past, but, of course, the old certifications I got still aren't showing up. Thanks to gilbou and salmoni for certifying me as Journeyer.

13 Jan 2005

Thu, 13 Jan 2005 01:52:41 GMT

Something very, very odd's after happening.

Very odd. Worrying, even.

My Advogato account disappeared.

Not completely, mind you.

FusionWiki was still listed with me as lead developer. Quite odd.

So I created a new account under the same name, and lo and behold, all my diary entries were still there.

But all the certification was gone. Disappeared. Kaput.

Any of the certification I'd given to others was gone, and all the certification I'd got was gone.

And all this happened without any notice.

So, did mod_virgule cough up a furball, or did I say something?

Hrumph!

30 Dec 2004

Thu, 30 Dec 2004 06:56:09 GMT

I really need to get my shit together and just do stuff rather than procrastinating all the time. Come to think of it, what am I doing here? I'm supposed to be hacking some webservices together. :-(

Preemptive new year's resolution: cut back on the number of feeds and mailing lists I'm on until I feel I'm productive again. Less bloody browsing! And worship Merlin Mann as the god he surely is. And read Gaping Void a bit more

30 Dec 2004

Thu, 30 Dec 2004 06:50:38 GMT

I've thrown up FusionWiki, my quick hack of a ColdFusion wiki, up on sourceforge. The code is currently crap, but bear in mind that it was originally written in a couple of hours just because I needed a ColdFusion wiki that generated decent markup.

The current codebase is now happily sitting in its CVS repository, and I hope to start doing more work on it soon.

4 Oct 2004

Mon, 4 Oct 2004 02:17:18 GMT

Did I mention that I started working again about a month and a half ago? Probably not. Well, I have.

12 Jul 2004

Mon, 12 Jul 2004 14:32:39 GMT

I. Have. A. Gmail. Account!

8 Jul 2004

Thu, 8 Jul 2004 16:27:46 GMT

As part of Job Search 2004, I’m resubscribing to the Open lists (you’ll know them if you’re an Irish developer) to see what jobs are about. Here goes nothing!

7 Jul 2004

Wed, 7 Jul 2004 20:43:40 GMT

Woohoo! I’ve got the lads at Digital Crew to set up a datasource for me, so now I can work on getting my linklog up and running. About time too!

I’ve decided I’m going to write that Advogato Poster myself. I found XMLRPC-C back last in June 2003, and I’ve been hacking with wxWidgets recently. The basic app shouldn’t be all that difficult to knock together, I think, but I just need a box to build it all on. Seeing as my project box in college hasn’t been wiped by the admins yet, I think I might do it there.

And meanwhile, having finished my degree, jobsearching in Cork...