jason... it's the 2nd point... the hacked app that i'm concerned/thinking about... as i stated, a secure app/system incorporates not just the system, and the wire, it also deals with the client app that's being used. and in fact, i'm of the belief that the manufacturers/developers of a given app could in fact provide some function on their servers that you could check against to verify that the browser/app in question is indeed legitimate... as to the details, i'm not exactly sure how it could be accomplished, but i'm pretty sure it could be done... i'm not trying to stop someone from copying an app... i just want to know that the version of IE that i'm talking to is indeed a good/not hacked copy... -bruce -----Original Message----- From: Jason Barnett [mailto:jason.barnett@xxxxxxxxxxxxx] Sent: Monday, June 20, 2005 10:05 AM To: php-general@xxxxxxxxxxxxx Subject: Re: security question...?? bruce wrote: > hi... > > a number of you write apache/web/server apps that deal with secure > information.. in doing some research it occured to me that a potential weak > link is on the client side, regarding the browser? how many of you actually > attempt to verify that the browser being used by the client is indeed a > legitimate (non-hacked) browser?? > > or is there even a way to do this? > > or should i just go back to sleep..?? > > thanks > > -bruce > bedouglas@xxxxxxxxxxxxx Quite frankly I don't see how you are going to do this. The only thing I know of that might indicate the version / type of browser that is being used is the User Agent string, but it's not hard for this to be forged. So you could very well be dealing with an IE user that has a Mozilla Fire(fox|bird|????) User Agent string. More to the point: are you concerned that someone is using an unpatched browser that has holes, or are you concerned that someone is using a binary that has been hacked to pieces and rebuilt to look just like a normal browser? Because I really, REALLY don't think there would be a way to test for the second problem. What do you look for? How in the world do you find it? -- NEW? | http://www.catb.org/~esr/faqs/smart-questions.html STFA | http://marc.theaimsgroup.com/?l=php-general&w=2 STFM | http://php.net/manual/en/index.php STFW | http://www.google.com/search?q=php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
