SMS Gateway

Hey! It aint that hard!

Postby SOD » 03/02/09, 2:46 pm

Using a POST is just the start of a good security practice. Fundamentally a POST is more secure but on its own does not do the whole Job. It is a standard.

A Get has a limit of 100 char.
Source: http://www.w3schools.com/PHP/php_get.asp
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Gerry » 03/03/09, 8:29 am

Gerry wrote:POST isn't more secure than GET, POST just makes the location of the data a little less obvious. You need encryption if you want security.
Dark Shadow wrote:Well, it depends. POST data is always encrypted within SSL if the server runs a certificate and you request the data via https, however, GET requests toss the information directly into the URL which, if I am not mistaken, is not encrypted at all even over encrypted SSL connections. Someone listening on a network and sitting between you and the target could see the information passed. Now, if you placed the GET variables inside of an actual connection to a server instead of passing them into the URL, you would get the information encrypted via SSL, however, most people would never do this since it requires more than your average amount of coding to do so.
SOD wrote:Using a POST is just the start of a good security practice. Fundamentally a POST is more secure but on its own does not do the whole Job. It is a standard.


:D

The entire session including the GET request is encrypted, the IP address (which is obtained from the HOST string) is used to make the secure connection to the server. As I said, it is encryption that matters not GET or POST.
http://www.w3.org/2001/tag/doc/whenToUseGet.html#sensitive wrote:To protect information carried by either GET or POST operations, it is often appropriate to use an underlying secure protocol such as the Secure Socket Layer [SSL3]. By using GET over SSL for safe operations, designers retain some of the benefits of URI addressability, even if they lose others (e.g., caching).
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby SOD » 03/03/09, 10:45 am

To protect information carried by either GET or POST operations, it is often appropriate to use an underlying secure protocol such as the Secure Socket Layer [SSL3]. By using GET over SSL for safe operations, designers retain some of the benefits of URI addressability, even if they lose others (e.g., caching)

The only reason to use a GET is is to:
"retain some of the benefits of URI addressability"

That would be the only reason...

SSL is always the way to go. POST is the standard
common practice to get it there. Showing your knickers in a GET does not get it and by the W3C
spec an inappropriate use of the for anything but queries.
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Gerry » 03/03/09, 4:14 pm

I was addressing the false claim that GET was less secure than POST. If the claim was that the use of GET was "inappropriate", then the statement being made would have been very different (and subjective).

Anyway, my point in posting was to prevent anybody stumbling across this thread from being accidentally mislead about POST being more secure. That doesn't seem to be in question any more, so I guess there is really nothing left for me to say.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby Dark Shadow » 03/03/09, 5:45 pm

Coding with $_REQUEST makes everyone happy. ;)

Personally, I still think that coding with $_GET can be less secure but that is 100% on the shoulders of the person on the other side programming how they are going to send requests to my gateway. If they do it right, POST and GET should be exactly the same as far as security goes. If they pass the GET request to the URL, then it could be far less secure due to how sniffers work and how firewalls often log the full urls you visit.

On the topic of POST though... most sniffers are designed to catch EVERY POST request that is sent over a network but they aren't designed to catch every GET request since POST is often far more obvious that you are interacting with a page and GET could just be someone browsing ebay, google, etc...

Frankly though, it doesn't matter because if someone is sniffing your network, they will get the full variable set passed via GET or POST over SSL if they want simply due to the fact that 'man-in-the-middle' is quite effective and PHP does not automatically compare certificates when it connects over SSL.

To be blunt... if you have a security breach, there is no such thing as small.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby SOD » 03/04/09, 1:46 am

Thought about why I think POST is more secure than GET.

To consider POST or GET on their own without the benefit of https POST passes the most basic of rules
it obfuscates data not much security but as a native passive restraint it passes. If all else fails at least the data is hidden. So it is also failure redundant.

Had to think about it.
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Dark Shadow » 03/04/09, 6:54 am

I finally decided against using increased security by requesting an MD5 created from the user's username, password, and the target phone number. This seemed to place too much effort on the side of the other coder.

Instead, sending messages using your unique key is restricted to one of 5 IP addresses you can add to your account. This should be plenty of IP addresses for any developer as most of us develop our toys on the same few servers. It should also prevent people from stealing your access key (God forbid) and using it on another server.

I'm adding eye candy now, but the major features are finished and everything works.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby SOD » 03/04/09, 10:21 am

What world you rather have to start your car?

A push button or a key?
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Dark Shadow » 03/04/09, 8:18 pm

Gateway is sorta ready. I'm still painting it and I have some work to do with the settings page and the FAQ page, and the TOS page... etc... but you guys can sign up and I will approve your account once you confirm your email. To make sure that I know it comes from Shellcity.net, please choose the same username as your Shellcity.net username. I will only accept Senior members or higher from Shellcity.
http://www.ustxt.net/
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby RedRage » 03/04/09, 9:29 pm

god i'm sick of people using flash for banners and buttons and stuff :(

looks purty though.
RedRage
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 1541
Joined: 12/04/01, 12:00 am

Postby Dark Shadow » 03/04/09, 9:34 pm

Flash = idiot attraction
Functionality = nerd attraction
Combined = everyone attraction - Red Rage
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby SOD » 03/05/09, 10:48 am

I think Gerry wants you to believe that POST has the same security as GET it does not.

As a standalone HTML attribute POST is more secure than GET at the user agent. The user agent or HTML should not be dismissed when writing web apps.

Gerry said: "Use either GET or POST as appropriate based on their strength and weaknesses over one another. ie. cacheability, data size, transparency to the end user etc"

All those things point to using POST when submitting data.

Thanks for making my point Gerry :shock:
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby Dark Shadow » 03/05/09, 2:42 pm

SOD wrote:I think Gerry wants you to believe that POST has the same security as GET it does not.

As a standalone HTML attribute POST is more secure than GET at the user agent. The user agent or HTML should not be dismissed when writing web apps.

Gerry said: "Use either GET or POST as appropriate based on their strength and weaknesses over one another. ie. cacheability, data size, transparency to the end user etc"

All those things point to using POST when submitting data.

Thanks for making my point Gerry :shock:


SOD, feel like making the php example toolkit for the gateway using POST?
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

Postby Gerry » 03/06/09, 9:52 am

SOD wrote:I think Gerry wants you to believe that POST has the same security as GET it does not.

As a standalone HTML attribute POST is more secure than GET at the user agent. The user agent or HTML should not be dismissed when writing web apps.
You and I apparently have very different definitions of security SOD.

SOD wrote:Gerry said: "Use either GET or POST as appropriate based on their strength and weaknesses over one another. ie. cacheability, data size, transparency to the end user etc"

All those things point to using POST when submitting data.

Thanks for making my point Gerry :shock:
Again that was a remark on it's use, not it's security. I was saying that you should choose between the two based your needs. Usage was never in debate although you keep trying to pretend it was...
SOD wrote:A Get has a limit of 100 char.
Source: http://www.w3schools.com/PHP/php_get.asp
SOD wrote:The only reason to use a GET is is to:
"retain some of the benefits of URI addressability"

That would be the only reason...
I can only imagine you keep doing this in order to merge and confuse the security issue, for the purposes of hiding the fact that you were wrong. I was fine with letting you bow out without pointing that out, but strangely you decided to come back for more.

I guess being a good debater means never having to admit you're wrong, but that doesn't mean that others don't know it.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby Dark Shadow » 03/06/09, 1:45 pm

Gerry, your account is activated.
Dark Shadow
Senior Member (Entitled To Root Beer)
Senior Member (Entitled To Root Beer)
 
Posts: 860
Joined: 12/09/01, 12:00 am

PreviousNext

Return to Play With Code

Who is online

Users browsing this forum: No registered users and 1 guest

cron