Please do not CC me; I will check the newsgroups and usually respond to
all messages there. Onward!
bruce wrote:
jason...
it's the 2nd point... the hacked app that i'm concerned/thinking about...
as i stated, a secure app/system incorporates not just the system, and the
wire, it also deals with the client app that's being used.
Very true.
and in fact, i'm of the belief that the manufacturers/developers of a given
app could in fact provide some function on their servers that you could
check against to verify that the browser/app in question is indeed
legitimate...
OK, but if someone is truly skilled enough to rip apart an IE binary,
don't you think it would be trivial for them to override / alter this
checkIntegrity() function? Or whatever the heck you would call it.
as to the details, i'm not exactly sure how it could be accomplished, but
i'm pretty sure it could be done...
As to the details, the current way of checking app integrity usually
involves checking the MD5 hash of a program against a published / known
good MD5 hash. Although as was discussed in a recent thread it may be
feasible for hackers to create new binaries that have the same MD5
checksum as a legit / non-hacked binary.
i'm not trying to stop someone from copying an app... i just want to know
that the version of IE that i'm talking to is indeed a good/not hacked
copy...
-bruce
I don't see how this is feasible for reasons mentioned above. Even if
it was feasible can you also guarantee that there aren't other mailicous
processes running in the background (e.g. keystroke loggers)? Since MS
has a web-based auto-update program then there is likely some way to
find all of this critical information over an HTTP connection... but I
just don't know how they do it. Also when MS checks your system it is
really slow so it would be a huge performance impact on your site. But
all of this is dark voodoo magic that doesn't really belong on this
list. :)
--
NEW? | http://www.catb.org/~esr/faqs/smart-questions.html
STFA | http://marc.theaimsgroup.com/?l=php-general&w=2
STFM | http://php.net/manual/en/index.php
STFW | http://www.google.com/search?q=php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
