Peter Lauri wrote:
Isn't that just to send a username and password with the request? Or is the
username and password protected somehow in that process?
-----Original Message-----
From: Paul Scott [mailto:pscott@xxxxxxxxx]
Sent: Tuesday, September 05, 2006 4:08 PM
To: Peter Lauri
Cc: php-general@xxxxxxxxxxxxx
Subject: Re: Is this unsecure?
On Tue, 2006-09-05 at 16:04 +0700, Peter Lauri wrote:
I have bumped into a problem. I need to use a web service that is located
on
server B from server A. The server B will execute a script when the web
service is accessed and an email is sent as an parameter. The problem is,
if
I only have the email as incoming parameter, anyone can just figure out
the
url for the web service, the name, and then just send the email to that
address.
Why not just use SOAP envelope authentication?
--Paul
Peter,
The approach is fairly secure. But it would be much better to use the
output buffer to append a chunk of characters to the whole page and then
md5 that. This makes it much less likely that a snooper could bruit
force attack the system.
The next stage beyond that is just to AES encrypt the whole
communication. As you have access to both ends, there is no requirement
for asymmetric cryptography. Then simply put a known phrase as the
start of the request then the other end checks for after decryption and
if it is not there it rejects the message.
Crank that up to 256Bit encryption and you have a commercial spec system :-)
Cheers
AJ
PPS as MD5 is now part cracked, if you are truly paranoid, use SHA.
--
www.deployview.com
www.nerds-central.com
www.project-network.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
