| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <LAW11-F126AnxGqNZr100015c4e@hotmail.com>
From: tinsleyphone at hotmail.com (Paul Tinsley)
Subject: NSRG-Security SaS Encryption cracked
>On Wed, 15 Oct 2003 01:55:10 CDT, Paul Tinsley <pdt@...khammer.org> said:
> > > full-disclosure it inspired me to audit a few websites myself. I
>started
> > with the author of all the IMHO frivolous postings and found that he
> > "encrypted" his website with something called SaS that his group
>wrote.
> > Since the transmitted HTML needs to be (eventually) interpreted as HTML,
>there
>are only two basic options:
>
>1) Settle for mere obfuscation and a snippet of reverse-engineerable
>Javascript
>or similar that decodes the obfuscated input to HTML that the browser will
>accept.
>
>2) Use a public-key or shared-secret system wherein each client gets a
>potentially different version of the page (note that this includes the case
>of
>an HTTP authentication failing and giving you an error page).
>
>Again, to repeat - without some sort of per-client unique key, all you can
>do
>is obfuscate, and said obfuscation has to be done in a programmable
>reversible
>way to be at all useful.
I 100% agree with you. I tried to make it apparent that I didn't agree with
the term encryption as used by Lorenzo by quoting it both in my email and in
my source code. I am fully aware that the content has to be interpreted and
that was half of the reason that I decided to throw that code together last
night. I wanted to make the point that it was a pretty fruitless venture.
Sorry if I didn't convey that very well...
I am lumping this email together as I don't have much time today to deal
with responses to this:
Lorenzo:
Quote: "PS: I'm working in a md5 file hash system for pages"
Response: The wheel currently exists: Tripwire, AIDE, tracker,
etc...
Quote: "But , it's easy to identify the encoding in first view:"
Response: I am aware of that, but I wasn't sure that you were, you
use the term encryption both in your comments and in your
javascript, actually you call it decrypt, but those two
go hand in hand...
Quote: "currently are not available fast methods to encrypt pages in
real time"
Response: I was playing with this neat technology the other day called
SSL that seems to do the trick pretty nicely. I even
discovered that
most browsers come with support for it by default! It even takes it
one
step further and the stuff you send from the client to the server is
encrypted as well.
Quote: "I think yo toke the exploit/perl script from a developers
site because SaS is using an standard of encoding"
Response: If you really want to know I just "ported" your "decryption"
(note the quotes!) algorithm to perl and wrote a few regular
expressions
to pull out the parts I needed. This should be obvious by the use of
the
SAME exact variables in most places, except a few thrown in for my
own
enjoyment, ex: @special_sauce.
Quote: "as you see it's not encryption , so , you didn't cracked
nothing.... you decoded it !"
Response: Were you to pay attention to the code or the name of the file,
you would realize
that the pieces I created DO refer to decoding not decrypting.
P.S. - Sorry about formatting/spelling errors, I am reduced to hotmail due
to fsck errors on my mail server which is in a lights out data center. Ok
back to rebuilding the replacement mail server...
_________________________________________________________________
Concerned that messages may bounce because your Hotmail account has exceeded
its 2MB storage limit? Get Hotmail Extra Storage!
http://join.msn.com/?PAGE=features/es
Powered by blists - more mailing lists