Re: socketServer questions
- From: rbt <rbt@xxxxxxxxxxxxxxxxx>
- Date: Mon, 10 Oct 2005 08:44:44 -0400
On Sat, 2005-10-08 at 14:09 -0700, Paul Rubinhttp: wrote:
> rbt <rbt@xxxxxxxxxxxxxxxxx> writes:
> > Off-topic here, but you've caused me to have a thought... Can hmac be
> > used on untrusted clients? Clients that may fall into the wrong hands?
> > How would one handle message verification when one cannot trust the
> > client? What is there besides hmac? Thanks, rbt
>
> I don't understand the question. HMAC requires that both ends share a
> secret key; does that help?
That's what I don't get. If both sides have the key... how can it be
'secret'? All one would have to do is look at the code on any of the
clients and they'd then know everything, right?
> What do you mean by verification?
I'm trying to keep script kiddies from tampering with a socket server. I
want the server to only load a valid or verified string into its log
database and to discard everything else.
Strings could come to the socket server from anywhere on the Net from
any machine. This is outside my control. What is there to prevent a
knowledgeable person from finding the py code on a client computer,
understanding it and then being able to forge a string that the server
will accept?
Does that make sense?
.
- Follow-Ups:
- Re: socketServer questions
- From: Paul Rubin
- Re: socketServer questions
- References:
- socketServer questions
- From: rbt
- Re: socketServer questions
- From: Paul Rubin
- Re: socketServer questions
- From: rbt
- Re: socketServer questions
- From: Paul Rubin
- Re: socketServer questions
- From: rbt
- Re: socketServer questions
- From: Paul Rubin
- socketServer questions
- Prev by Date: Re: Comparing lists
- Next by Date: Re: socketServer questions
- Previous by thread: Re: socketServer questions
- Next by thread: Re: socketServer questions
- Index(es):
Relevant Pages
|
