Re: Re: security question...??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This was an interesting topic when it started, but this is getting way out of the realm of PHP and you are in danger of your messages going my /dev/null. I understand your concerns about application security being all-encompassing, but there have been a lot of good suggestions on how to overcome some of these problems already. 

If you are hell bent on checking browser integrity then this is what you do:
1. Download every version of IE, Fire(fox|bird|???), Opera, Konqueror, Safari, Links, Lynx, Mosaic, Netscape Navigator, mobile phone browsers, PDA browsers, etc. that has ever existed. These have to be the "trusted" binary versions of those applications for every platform on which they have been built. 2. Run a checksum program on each of the binaries and store the checksums in a database. This checksum algorithm needs to be one that you trust. 3. Require each user to create a secure connection with your server (however you want to do that). 4. After the connection is created, get the user to upload the executable they are using to access your server. 
5.  Checksum the upload and look for the matching hash.
The steps outlined above do very little if anything to enhance security, but it is a way to check for integrity of a plain vanilla installation. Then again if you really, really wanted to be accurate you would also need to download and hash all possible combinations of 3rd party add-ons with each browser, for each operating system, and...
Do you see what a difficult task this is? And do you think the average user is actually going to do anything like what I've described above? It's tough enough to just get visitors to accept cookies.
The benefits of going through the exercise you're describing are nowhere even close to the costs involved (costs meaning the time involved for the server, the client, the web developers, and the end users as well as bandwidth usage). There are other ways to increase security that are more cost effective than what you're suggesting. 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux