Posted by Ian Holsman
Wed, 05 Dec 2007 17:16:00 GMT
So I had an idea on how to semi-anonymize logging and wanted to run it by you guys.
I have a need for a system to record the location of the person who is doing something. So I can’t just not log the IP#.
So I was thinking if I could just keep the md5 of the IP# that would be enough. but it still leaves me open for a brute force attack.
so the next thought is if I could use the authenticated user’s password (which is passed in plain text into apache at one point) and use that in combination with the IP#. That way you would need to know something private to the user as well.
Is this sufficient?
or am I showing my total idiocy on encryption here.
Posted in General | Tags security | 3 comments
Posted by Ian Holsman
Tue, 14 Feb 2006 22:19:00 GMT
I just stumbled onto this Talk about security and Ajax by a fellow Melbournian
which serves as a good introduction to the topic, and highlights some issues to beware of.
The tool they are using to demonstrate stuff is called Paros
which looks like a great ajax debugging tool, and I will be making use of it to debug my own code. (I was resorting to tcpdump in some cases)
Posted in Ajax | Tags ajax, security | no comments | no trackbacks
Posted by Ian Holsman
Mon, 21 Nov 2005 16:17:00 GMT
Where Luke’s CSRF will protect you against cross site scripting attacks,
SafePost
is geared to stopping your users entering in nasty html.
By leverging the middleware layer, it intercepts every POST and strips out javascript and ‘unsafe’ tags.
The code uses Chris’s StripOGram to do all the heavy lifting.
Comments Welcome.
update: this isn’t entirely safe.
Simon Willison pointed me to:
Processing HTML
and
and this which goes a lot further.
Posted in Development | Tags django, security | no comments | no trackbacks