Posted by David McKenzie on 10/16/07 01:27

C. wrote:
> On 10 Oct, 19:16, Anze <anzen...@volja.net> wrote:
>> The problems I see are:
>> - where would the client key reside? I guess in a cookie, but it should be
>> installed there and kept permanent...
>> - the administrator could have access to PHP pages too so he could alter
>> them and get the key through XSS attack
>>
>
> If you can't answer these you don't have a consistent security model.
> Combine that with a complex security architecture and you've spent a
> lot of time and effort developing something which is not fit for
> purpose.
>
> Anything decrypted on the server is susceptible to detection by
> someone controlling the server. Any data sent to / from the server is
> susceptible to detection.
>
> C.
>
And anything decrypted on an end-user's machine is usually open to the
public.

--
DM davidm@cia.com.au

'It would go against respecting principles and truth if you have to
respect and accept anything just because it is the other side's view.'
- Kim Jung Ill

• Next in forum: OT:Recommend a php webform Script?
• Prev in forum: Re: amazing syntax error
• Thread view: Re: public / private key client side encoding

[Reply to this message]