Closed Thread Icon

Topic awaiting preservation: challenge response Pages that link to <a href="https://ozoneasylum.com/backlink?for=25262" title="Pages that link to Topic awaiting preservation: challenge response" rel="nofollow" >Topic awaiting preservation: challenge response\

 
Author Thread
Tekapo
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2004

posted posted 03-15-2005 05:34

hi, guys. How are you?
I wanna know any of you ever implemente 'challenge response' in your ecommerce site?
My book said that SSL thing is not good enough cuz of the possibility of wiretapping.
I guess I agree with this. What you think?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 03-15-2005 08:18

huh? SSL is by definition good against wiretapping.
The only reasonable attack is 'man-in-the-middle' - and that's kinda hard to pull of grand-scale with the net structure nowadays (forging an ip address outside of a local network is not particulary easy).

Hugh
Paranoid (IV) Inmate

From: Dublin, Ireland
Insane since: Jul 2000

posted posted 03-15-2005 10:31

If it was insecure it wouldnt be used everywhere. I implemented a "challenge response" in a site a while ago, it was a case of setting up a php script and I can't say I know what exactly it was doing, but it worked.

Tekapo
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2004

posted posted 03-15-2005 14:33

Hi, guys. how are you?
My stories here:

quote:
I was reading the network book. It said that:
using only SSL is not secure. SSL will encrypt the valuable info into string. But there is the possiblity that the encrypted string will be wiretapped. If a hacker gets those string, which is encrypted from original info, he can access to the web server using it. That is why we recommend to use both SSL and Challenge resposne.


Hum.....Do I make myself clear? Hope it make sense.

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 03-15-2005 16:02

What you are talking about is a "man-in-the-middle" attack. As stated above it is not something that is easy.

However, Yes, the more challenges pretty much equals more security; however often this equates to using 2048 or larger keys, it is just overkill any you are better off placing your resourses elsewhere. Like protecting your check book, or physical credit card which is probably far less protected than you ecommerce site.

The other thing with this is, any challenge you make to a user of an ecommerce site is an increase in the chance that you will lose a sale. People who order online want their transactions to be quick and painless, if you place additional buffers in front of the user before they are able to complete the transaction you are going to lose customers. It is really that simple. Ask only the information you need to bill and ship your product and don't make your user jump through hoops in order to authenticate themselves. The best ecommerce sites out there are the ones that allow you to purchase an item by entering only the necessary information for billing and shipping, all the other fluff should be optional.

Also it is good of you to come here and ask questions about what you read. A lot of the time you will find that the authors have some protty good ideas, but that they lack the full knowledge of certain areas. Security is often an area where you will find more hype that fact. This is because security is hard, and that is almost a definition. You should take anything you read about security with a grain of salt, especially if it is not written in the context of a security manual. I have books that are hundreds of pages on the specifics of different cryptographic protocals and they only scratch the surface.

Dan @ Code Town

synax
Maniac (V) Inmate

From: Cell 666
Insane since: Mar 2002

posted posted 03-15-2005 20:06
quote:
If it was insecure it wouldnt be used everywhere.



That's a bold statement! For example, Windows is notoriously insecure, yet it's probably the single most common piece of software found on computers world-wide.

Hugh
Paranoid (IV) Inmate

From: Dublin, Ireland
Insane since: Jul 2000

posted posted 03-15-2005 20:33

^ very true and a million dung beatles are very wrong. But windows and SSL are quite different, for one, SSL is a technology not some asshole companies dodgy software. Also its purpose is security. It isnt sold because its easy to use and everyone needs it. Its used because its secure. Also the people who implement it arent your average joe, linix nerds use it too.

« BackwardsOnwards »

Show Forum Drop Down Menu