Re: Using encryption to verify parameters
@douglas: it destroys the whole concept of urls - to know where you currently are. bookmarking, history etc - everything doesnt work anymore. well, if you really want all that for an app - fine but I am not convinced that cloaking urls adds any security. the params of urls shoudnt be what you need to wry about. its the content of them which should be secured. and this can be achieved via simple ACL, as well. if you focus all your effort on making urls unguessable instead of clean ACL but someone is able to get hold of it (sniffing, browser history, logging tools), the result is even worse than not having url encryption. On 19 Dez., 06:21, José Lorenzo jose@gmail.com wrote: I think the reasons for doing this are very narrow. But if you are absolutely positive that you need to do it, then the best way would be to not encrypt the url at all! Encryption can be broken with some level of effort. My suggestion would be to create urls like tinyurl does, store the params in database or cache, generate an unique url that will expire after certain time or first use. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
Geoff, I work at FreshBooks. You'll have to trust me when I say encoding your querystrings is a horrible idea. We only still have it because of legacy issues, and the fact that we have had them for years. I would strongly suggest you don't go down the very painful road of doing this. -Mark On Dec 18, 10:35 pm, Geoff Douglas drdouglas...@gmail.com wrote: The accounting web application Freshbooks does this. Every link inside the application uses an long encrypted string, instead of a url path. Once the url hits the app, it's decrypted and routed. Thus securing the urls from users eyes... I agree that this adds a genuine level of security, even as a simple deterrent, or mask. I would use a separate salt value in the configure class, then create a new helper that encrypts the urls for links and such. Then you could decrypt them either in bootstrap, or somewhere that loads first. Not sure if the AppController beforeFilter is soon enough, but it might be. You would just have to test it out. Happy Coding. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
jsonencode the params then base64encode them then encrypt them, pass this encryption hash along with the original plaintext variables, when you recieve these variable bank check the plaintext variables against the encryption hash I do the same on some of my projects to prevent tampering of data and forms Thank you, -Alex Goretoy http://launchpad.net/~a1g On Mon, Dec 19, 2011 at 10:13 AM, mark_story mark.st...@gmail.com wrote: Geoff, I work at FreshBooks. You'll have to trust me when I say encoding your querystrings is a horrible idea. We only still have it because of legacy issues, and the fact that we have had them for years. I would strongly suggest you don't go down the very painful road of doing this. -Mark On Dec 18, 10:35 pm, Geoff Douglas drdouglas...@gmail.com wrote: The accounting web application Freshbooks does this. Every link inside the application uses an long encrypted string, instead of a url path. Once the url hits the app, it's decrypted and routed. Thus securing the urls from users eyes... I agree that this adds a genuine level of security, even as a simple deterrent, or mask. I would use a separate salt value in the configure class, then create a new helper that encrypts the urls for links and such. Then you could decrypt them either in bootstrap, or somewhere that loads first. Not sure if the AppController beforeFilter is soon enough, but it might be. You would just have to test it out. Happy Coding. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
I love Freshbooks! Is it a cool place to work? I trust you sir. Point understood. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
I can understand your point. You can never be secure without a good ACL system in place. But that doesn't mean you can't have both at some level. I think I just like to keep the options open for interesting ideas. I don't know if I would ever encrypt the entire application, but perhaps just some things... maybe. I have worked on systems that are highly secured, very sensitive business data, to sites that are simply static content delivery networks. Of course you would never use goofy urls for anything that touched Google and the search engine buddies. But some applications, specifically intranets, use abstraction and deterrence as just another layer of security. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
I like it. This could be very useful at various levels. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
what? seriously? I heard a lot of crazy things in my life - but that tops them all^^ On 18 Dez., 23:55, Daniel danwgr...@gmail.com wrote: I am thinking of encrypting all parameters (in the URL) along with a secret key, so they cannot easily be faked. However I do not know which encryption to use or what is a good way to do this. Any ideas? Thanks. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
hahahah mark hahah :) :) -- Lep pozdrav, Tilen Majerle http://majerle.eu 2011/12/19 euromark dereurom...@googlemail.com what? seriously? I heard a lot of crazy things in my life - but that tops them all^^ On 18 Dez., 23:55, Daniel danwgr...@gmail.com wrote: I am thinking of encrypting all parameters (in the URL) along with a secret key, so they cannot easily be faked. However I do not know which encryption to use or what is a good way to do this. Any ideas? Thanks. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
On Dec 18, 11:20 pm, euromark dereurom...@googlemail.com wrote: what? seriously? I heard a lot of crazy things in my life - but that tops them all^^ Sarcastic B*d -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
well, you might wanna try to explain why you wanna do that all actions = the complete application? or only for specific actions? before you start cussing around. because I cannot think of a sane reason - expect maybe making your own life more complicated. there is reason why no one went down that road before On 19 Dez., 00:32, Daniel danwgr...@gmail.com wrote: On Dec 18, 11:20 pm, euromark dereurom...@googlemail.com wrote: what? seriously? I heard a lot of crazy things in my life - but that tops them all^^ Sarcastic B*d -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
The accounting web application Freshbooks does this. Every link inside the application uses an long encrypted string, instead of a url path. Once the url hits the app, it's decrypted and routed. Thus securing the urls from users eyes... I agree that this adds a genuine level of security, even as a simple deterrent, or mask. I would use a separate salt value in the configure class, then create a new helper that encrypts the urls for links and such. Then you could decrypt them either in bootstrap, or somewhere that loads first. Not sure if the AppController beforeFilter is soon enough, but it might be. You would just have to test it out. Happy Coding. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Using encryption to verify parameters
I think the reasons for doing this are very narrow. But if you are absolutely positive that you need to do it, then the best way would be to not encrypt the url at all! Encryption can be broken with some level of effort. My suggestion would be to create urls like tinyurl does, store the params in database or cache, generate an unique url that will expire after certain time or first use. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php