rene..
from my perspective, i strongly disagree...
if you're going to be writing apps that deal with sensitive information, you
better damm well give some thought as to how secure the client is, or even
if the client is actually valid!
while i'm not precisely sure as to how you'd go about ensuring that the
client is indeed real/valid, and not faked, there are some reasonable
approaches that the vendor/manufacturer could take, or make available that
could go a good way towards satisfying the issue somewhat...
and creating a secure client/server connection that only the two parties
(server/client) can listen to is not illegal in the US.. i'm not sure where
you get your information..
but my point was not regarding tha actual communicatino pipe/wire. there are
already methods of securing the wire conversation betwen the server/client.
i'm concerned with being reasonably sure that the client i'm talking to is
indeed a valid/real client. IE, if it identifies itself as IE, then it
actually is IE, and not some spoofed app, that acts like IE, that might be
sending data to who knows where...
-bruce
-----Original Message-----
From: -{ Rene Brehmer }- [mailto:steelrodent@xxxxxxxxxxxxxx]
Sent: Monday, June 20, 2005 3:52 PM
To: php-general@xxxxxxxxxxxxx
Subject: Re: Re: security question...??
I don't see any way of doing such a thing, without also seeing how easily
it would be to fake it.
I'm not really sure what it is you want to achieve. As a webmaster you
can't really take responsibility for the clients using insecure software to
access your website.
It is technically possible to use custom browsers, combined with personal
encryption chipcards, that allow only a specific person to establish an
encrypted connection to the server, and nothing else. And then refuse
connections made by other means. But that method is illegal in the US
because the CIA/NSA/FBI and so on can't "listen in" on the connection, and
as such it's a violation of the weapons/terror laws...
There is no way of ensuring a truly secure connection over an open network
without taking some drastic measures and have each site use their own
specific encryption algorithms with corrosponding clients...
Rene
Documented research indicate that on Mon, 20 Jun 2005 11:13:52 -0700,
"bruce" wrote:
> jason...
>
> it's the 2nd point... the hacked app that i'm concerned/thinking about...
>
> as i stated, a secure app/system incorporates not just the system, and the
> wire, it also deals with the client app that's being used.
>
> and in fact, i'm of the belief that the manufacturers/developers of a
given
> app could in fact provide some function on their servers that you could
> check against to verify that the browser/app in question is indeed
> legitimate...
>
> as to the details, i'm not exactly sure how it could be accomplished, but
> i'm pretty sure it could be done...
>
> i'm not trying to stop someone from copying an app... i just want to know
> that the version of IE that i'm talking to is indeed a good/not hacked
> copy...
>
> -bruce
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
