On Wed, Apr 13, 2011 at 6:25 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > I'm not clear on what the Dropbox host_id is either, but Muffett gives > the classic example: ssh keys. Good analogy, I think.
Well, that depends. If the host_id is a private/secret key, okay, it's a great analogy. But private keys are, you know -- private. Using one as a handle for something makes no sense. Further, from what I've seen of host IDs, they appear to be maybe 30-60 bytes in length (depend on exactly what the ASCII strings I saw were encoding). 240-480 bits. That's not private key sized. I've seen a few different sample URLs. One is: https://www.getdropbox.com/tray_login?host_id=BLAH but does not actually give an ID. Another does: https://www.dropbox.com/cli_link?host_id=7d44a557aa58f285f2da0x67334d02c1 So it would appear a host ID serves to uniquely identify a host (shocking </sarcasm>), and is sometimes passed around in URLs as part of the Dropbox client linking to a Dropbox webserver. They're relatively short. So as analogies go, they're nothing like SSH keys. They're more like IP addresses, or hostnames, or user logon names. Especially that last -- since they're provided by the client itself and have no other association with other systems (e.g., in contrast, you can do things to check a client's purported hostname againt DNS). Now, if the only thing used to authenticate a client is (e.g.) a 64-bit sequentially assigned serial number which is sometimes exposed in semi-public URLs, that is indeed a very bad security design. But some of chatter around this suggests there may be more to it. We're still in the initial-flurry-of-misinformation phase that usually surrounds any technical news story. As I don't have the time to do a through job researching, I have to wait for some accuracy to precipitate out of this cloud of confusion. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
