[Project_owners] [OT] Some help needed

Arturo 'Buanzo' Busleiman buanzo at buanzo.com.ar
Tue Feb 13 14:15:42 PST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

eric.jung at yahoo.com wrote:
> Neither have I. If you figure that out, I'd be very interested in
> learning it. Specifically, I've never found a way to correlate requests
> to a browser/window/tab/document.

We should talk with the mozilla team about this. Yes.

> Can I ask what you're trying to do with the form in the request
> observer? Maybe there's another way to get at the same goal.

Yes, quite possible. There are many ideas, but if you really are willing to give me a (much needed)
hand, I'd recommend that you give the overlay.js file of my extension a quick look. The code is
quite easy to follow. I've written it with the purpose of make it easily enhanceable/understandable.

In a nutshell, when the request is made, i check if it should be signed or not (that's something the
webmaster decides, let's say). If it should be signed (currently, by checking the post's content for
a certain field=value pair), then it is processed through openpgp, and this new payload is sent,
instead of the unsigned one.

If anyone wants to check it out:
http://linux-consulting.buanzo.com.ar/2007/02/openpgp-signing-of-http-post.html

Abstract:

This document describes an extension to the HTTP POST [RFC 2616] method that, along with compatible
browser and server-Side software, allows the POST contents to be digitally signed, on the client
side, and verified, on the server side, by means of an OpenPGP standard [RFC 2440] implementation on
both sides. This allows web developers to add a new layer of security to their applications, and if
correctly implemented will render data tampering / man in the middle attacks useless. The direct
benefit of implementing this extension is that web developers will be able to verify the POST
payload signature, potentially avoiding session management, and/or login procedures.

- --
Arturo "Buanzo" Busleiman - Consultor Independiente en Seguridad Informatica
Mail Hosting Seguro y Consultoria - http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF0jiNAlpOsGhXcE0RAhF9AJ4tKdhQoAoy+xtJr19fuJBjuT0BHgCaAjIz
NYobyfWIj+x0ADrfqIIEDNE=
=znmD
-----END PGP SIGNATURE-----


More information about the Project_owners mailing list