Security Question regarding Handhshake protocol

codes

php

handshake

hmac

cringe

spoof

sophisticated

password

liked

hearing

guestuser 2007-10-22 14:12:15 UTC #1

Hi,

I was just reading http://www.e-junkie.com/ej/help.selling-codes.php and I really liked the way you had the registration codes set up. That is, until I looked at it further.

Based on the example, the handshake is always going to be the same. Therefore, very easy for someone to spoof.

Also, the idea of having the ejunkie login/password embedded in the php file makes me cringe (although, you could figure out the md5 of the pw and just use that). Would it be possible to make it a little more sophisticated? I was thinking along the lines of using a 'shared secret' key + hmac. The handshake would then be: hmac('shared secret', 'transaction id') If php is your thing, there is code here: http://www.php.net/sha1 This will prevent someone from just spoofing the handshake.

What are your thoughts about this? The current implementation is rather weak. Unless I'm missing something??

Thanks, I look forward to hearing back from you!

guestuser 2007-10-22 14:13:31 UTC #2

I do agree with you more or less apart from the fact that current implementation is rather weak. The shared secret is going to be same but it's never public unless someone has access to your server logs, and if buyers can breach your server security then they already have the access they need.

As for storing the password in the script, as you said you can simply just store it's md5 in the php script. Better yet, you can simply store the shared secret in the php file.

That said, we will eventually start passing HMAC hash as well but handshake will stay the same to be backward compatible.

e_junkieexpert 2007-10-22 14:14:15 UTC #3

clicktilt 2010-06-03 06:20:49 UTC #4

I'm sad to see that this hasn't been fixed yet.

How about adding the POST data to the md5 parameters, that way at least we can guarantee a unique handshake for each request and that the POST parameters have not been tampered with.

E-junkie_Ninja 2010-06-04 12:44:35 UTC #5

I will past your suggestion on to our development team.

wayneatwritelog 2010-07-02 20:19:36 UTC #6

I also would like to see an answer to this request to have the code generation URL get a "handshake" that is not constant for all requests. I see there was a similar thread here dated last year that seems to have ended with the same "suggestion to development team post".

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.