Simple encryption proposal. Comments ?
Paul Rubin
phr-n2002b at NOSPAMnightsong.com
Mon Dec 30 10:13:02 EST 2002
"Thomas Weholt" <2002 at weholt.org> writes:
> Hm .... are you saying I'm better off using rotor? My first attempts used
> rotor, but storing rotor-encrypted data in values of HTTP-cookies didn't
> work very good, since cookie-values must be in the
> string.lowercase+string.uppercase+'0123456789'-range ( in addition to the
> normal ,.-_ etc. characters ). Rotor produced alot of unprintable data. If I
> didn't mess it up somewhere that is.
- Don't use rotor; it is not secure.
- Also, don't use SmartCookie, since it uses pickling and malicious
incoming cookies can potentially take over your server.
- Just about any encryption scheme is going to result in unprintable
characters that you'll then have to encode printably. I'm not sure
whether base64 characters are all permissible in cookies. I think
they are. Otherwise you may have to find some substitutions.
> Since normal basic HTTP-authentication is stored as a cookie, just
> Base64-encoded, I thought even a simple encryption scheme would provide
> better security than that.
This depends on who you think the attacker is. If the attacker is
someone sniffing the IP traffic to capture the user's data, use SSL.
If the attacker is the user him/herself and you want to put stuff in
the cookies that the user shouldn't be allowed to read, use a good
encryption method (not rotor) to encrypt the cookies.
More information about the Python-list
mailing list