Re: How to completely destroy a script and make it disappear forever.

From: Conrad Lender <crlender@xxxxxxxxx>
Date: Sat, 18 Oct 2008 22:40:32 +0200

On 2008-10-18 22:12, Jorge wrote:

To fight sniffing and curl lookalikes there's SSL/https

Won't work. An attacker can use a local proxy to talk to your server
over SSL, and have plain HTTP traffic between the browser and the proxy.
Use SSL to protect the visitor from man-in-the-middle attacks, not to
protect the server from the visitor.

if not, the
innerHTML of the script can be received scrambled in an XHR :

document.getElementsByTagName('head')
[0].appendChild(document.createElement('script')).innerHTML=
unscramble(XHR.responseText);

And you helpfully provide the unscamble() function and all necessary
keys to the client, and therefore to the attacker.

I know, it's frustrating. There's just no way to send secrets to a
browser in such a way that the browser can access them and the user
cannot. BTW, that's also the fundamental flaw of the various DRM
schemes, so you're in good company if you still think you can make it
work. But ultimately these attempts are doomed to fail - all that's
needed to break them is one bored hacker.

- Conrad
.

Follow-Ups:
- Re: How to completely destroy a script and make it disappear forever.
  - From: Jorge

References:
- How to completely destroy a script and make it disappear forever.
  - From: Jorge
- Re: How to completely destroy a script and make it disappear forever.
  - From: Erwin Moller
- Re: How to completely destroy a script and make it disappear forever.
  - From: Jorge
- Re: How to completely destroy a script and make it disappear forever.
  - From: Erwin Moller
- Re: How to completely destroy a script and make it disappear forever.
  - From: Jorge
- Re: How to completely destroy a script and make it disappear forever.
  - From: Erwin Moller
- Re: How to completely destroy a script and make it disappear forever.
  - From: Jorge
- Re: How to completely destroy a script and make it disappear forever.
  - From: slebetman
- Re: How to completely destroy a script and make it disappear forever.
  - From: Jorge

Prev by Date: Re: How to completely destroy a script and make it disappear forever.
Next by Date: Re: Whats the point in these groups?
Previous by thread: Re: How to completely destroy a script and make it disappear forever.
Next by thread: Re: How to completely destroy a script and make it disappear forever.
Index(es):
- Date
- Thread

Relevant Pages

now SSL and ids ( was Re: ssh and ids )
... > How many simultaneous SSL sessions can be tracked? ... qualifies as a third party having access to the private key. ... communicate with the server in the clear. ... > best protection against covert channels is to stop the attacker before ...
(Focus-IDS)
RE: Link from corporate site to internal corp. network
... By hijacking any Web browser located on your internal network, an attacker ... Moving beyond a single server ... If the client in use is Microsoft Internet Explorer, ...
(Security-Basics)
Re: My credit card details have been sent in the clear!
... The SSL protocol uses the "Servers" key to perform a handshake with the ... The net result is a session key (symetric key known by both the ... server and browser) that is then used to encrypt traffic going in both ...
(comp.security.misc)
Re: [PHP] security question
... > Security is not something one can just slap on to the site after one ... My web hoster support a shared SSL protocol, ... browser to the server, and data going back from server to browser, is ...
(php.general)
Re: SSL and Server Certificates
... determine whether the server itself is even listening on port 443. ... so 'view certificate' & examine its properties. ... with the certificate may prevent a browser from connecting altogether. ... Insure host headers & SSL are not in use, unless the site using SSL is ...
(microsoft.public.inetserver.iis.security)