but chris... go back and look at the entire thread... i never stated that i wanted to be able to know whether the entire system is secure on the client's end.. i stated that i wanted to be able to know if the client that i'm dealing with is legitimate.. keep the conversation apples to apples... i've intentionally constrained the focus of this thread.. the fact that you've taken the thread in another direction is your issue... -bruce -----Original Message----- From: Chris W. Parker [mailto:cparker@xxxxxxxxxxxx] Sent: Wednesday, June 22, 2005 11:01 AM To: bedouglas@xxxxxxxxxxxxx; Rory Browne; php-general@xxxxxxxxxxxxx Subject: RE: Re: security question...?? bruce <mailto:bedouglas@xxxxxxxxxxxxx> on Wednesday, June 22, 2005 10:28 AM said: > sure it can rory... > > i can give you a file... i create a hash of the file... if i have a > process within the file that i give you that allows the file to more > or less create the hash of itself, and if i can query/access the file > to get the information, then i can more or less determine if the file > has been changed.. But even if the file(s) you're checking haven't changed that doesn't have anything to do with determining whether or not a 3rd party program is eavesdropping on the entire conversation, stealing whatever data it wants. Go back to the wall analogy I gave earlier. You may, without a shadow of a doubt (and accurately so), know that you're speaking with a person you trust on the other side of the wall. But what you don't know, nor could you determine(!), is that there is another person standing next to the person you're talking to listening to everything you both say and writing it all down. You'd probably say, well I'll just ask the person I trust if someone else is there... But remember the rootkit? The person you trust may not even know another person is standing there so as far as the person you trust is concerned, there isn't anyone else listening. And now you're back to square one. So what if all your hashing and double checking of hashes succeeds. That doesn't change the fact that you don't have control over the client and that you can't be certain of what's happening on the client's side. Period. This thread is a joke. Chris.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
