|
I want to possibly preempt a horror: Is it a horror if, for a purely internal app, an array of SSNs and names is included in the Javascript for use in an autocomplete? Or should it rely on AJAX to populate the autocomplete, to lessen the security risk? Note that if someone has access to this app they have access to all that data anyway, the only risk would be if someone saved a copy of the page source and then decided to share it around. But if they wanted to do that, they're literally two clicks away from a report that would show all of this information in an even easier format. So the only risk would be accidental exposure, which seems unlikely.
|
#
?
Oct 18, 2012 16:40
|
|
|
|
| # ? May 21, 2024 09:08 |
|
|
Populating via ajax would help avoid the risk of the SSNs sitting in the browser's cache when a machine is stolen, if that's a concern.
|
|
#
?
Oct 18, 2012 17:12
|
|
|
Golbez posted:I want to possibly preempt a horror:
|
|
#
?
Oct 18, 2012 17:13
|
|
|
Plorkyeran posted:Populating via ajax would help avoid the risk of the SSNs sitting in the browser's cache when a machine is stolen, if that's a concern. If one of these machines is stolen then we have far more than SSN + name to worry about.
|
|
#
?
Oct 18, 2012 17:14
|
|
|
Golbez posted:Is it a horror if, for a purely internal app, an array of SSNs and names is included in the Javascript for use in an autocomplete? Or should it rely on AJAX to populate the autocomplete, to lessen the security risk? This is not something the internet should have any say in. Ask your security advisor.
|
|
#
?
Oct 18, 2012 17:15
|
|
|
Suspicious Dish posted:This is not something the internet should have any say in. Ask your security advisor. Good point. Asked.
|
|
#
?
Oct 18, 2012 17:19
|
|
|
Plorkyeran posted:Populating via ajax would help avoid the risk of the SSNs sitting in the browser's cache when a machine is stolen, if that's a concern. Or you should use the cache control header to do this.
|
|
#
?
Oct 18, 2012 17:29
|
|
|
Zombywuf posted:Or you should use the cache control header to do this.
|
|
#
?
Oct 18, 2012 18:27
|
|
|
Plorkyeran posted:It's hopefully not a concern for an internal app not available over the internet, but I've seen those stripped by retarded proxy servers. Well it's been pointed out that someone might be logging in remotely and working on it - unlikely, but possible - so we'll be looking at cache regulation, but ... if they're looking at the page that contains the names and SSN, they're going to be also clicking through to a detailed page which contains far more useful information. But then we run into that problem for any sensitive webpage and no one seems to care much about that being an issue.
|
|
#
?
Oct 18, 2012 18:39
|
|
|
Plorkyeran posted:It's hopefully not a concern for an internal app not available over the internet, but I've seen those stripped by retarded proxy servers. Then the ajax requests are probably getting cached by retarded proxy servers.
|
|
#
?
Oct 18, 2012 19:34
|
|
|
code:
|
|
#
?
Oct 18, 2012 20:07
|
|
|
Suspicious Dish posted:I'm actually curious, is there a good public API to get those? It seems like it should be an API provided by some government agency somewhere. A number of projects I worked on used the yahoo finance API for daily currency feeds (I'll see if I can dredge up the information).
|
|
#
?
Oct 18, 2012 21:10
|
|
|
Golbez posted:Well it's been pointed out that someone might be logging in remotely and working on it - unlikely, but possible - so we'll be looking at cache regulation, but ... if they're looking at the page that contains the names and SSN, they're going to be also clicking through to a detailed page which contains far more useful information. But then we run into that problem for any sensitive webpage and no one seems to care much about that being an issue. HTTPS wouldn't be cached, and for an internal app it should be fairly simple to set that up (potentially self-signed, there's probably some way of trusting a certificate company-wide).
|
|
#
?
Oct 18, 2012 21:11
|
|
|
dorkanoid posted:HTTPS wouldn't be cached, and for an internal app it should be fairly simple to set that up (potentially self-signed, there's probably some way of trusting a certificate company-wide). Are you sure? I'm seeing people state that https is cached just like http is.
|
|
#
?
Oct 18, 2012 21:19
|
|
|
It's cached. HTTPS isn't meant to secure data once it gets to you, just verify integrity of the sender and protect during transport, so there's no reason not to cache it like any other content.
|
|
#
?
Oct 18, 2012 21:24
|
|
|
If a retarded misbehaving proxy is able to see the decrypted contents of stuff sent over HTTPS then you have a far bigger concern than cache issues, and the encrypted data getting cached somewhere might be a source of annoying issues but shouldn't be a security problem. I guess if it is getting sent over HTTPS correctly then the proxy won't be able to gently caress with the headers though, so using HTTPS and telling the browser not to cache stuff is reasonably sufficient. Only allowing local network access and forcing people to use a VPN simplifies things quite a bit if you can get away with it.
|
|
#
?
Oct 18, 2012 21:52
|
|
|
I posted a bit fast; what I meant was that a proxy wouldn't cache anything that's sent over HTTPS, and wouldn't (I think?) change the headers of things sent over HTTPS, negating that part of the equation.Plorkyeran posted:If a retarded misbehaving proxy is able to see the decrypted contents of stuff sent over HTTPS then you have a far bigger concern than cache issues, and the encrypted data getting cached somewhere might be a source of annoying issues but shouldn't be a security problem. I guess if it is getting sent over HTTPS correctly then the proxy won't be able to gently caress with the headers though, so using HTTPS and telling the browser not to cache stuff is reasonably sufficient. I'm assuming such proxies exist, but wouldn't the internet be a horrible mess of red padlocks and certificate warnings then?
|
|
#
?
Oct 18, 2012 22:07
|
|
|
Plorkyeran posted:If a retarded misbehaving proxy is able to see the decrypted contents of stuff sent over HTTPS then you have a far bigger concern than cache issues, and the encrypted data getting cached somewhere might be a source of annoying issues but shouldn't be a security problem. I guess if it is getting sent over HTTPS correctly then the proxy won't be able to gently caress with the headers though, so using HTTPS and telling the browser not to cache stuff is reasonably sufficient. Well sometimes...
|
|
#
?
Oct 18, 2012 22:09
|
|
|
Biowarfare posted:Well sometimes... I don't really get the nuances of how PKI works, but am I correct in reading this as a CA that issued something that allowed some company to MITM all their traffic?
|
|
#
?
Oct 18, 2012 22:33
|
|
|
GrumpyDoctor posted:I don't really get the nuances of how PKI works, but am I correct in reading this as a CA that issued something that allowed some company to MITM all their traffic? It also allows that company to MitM all traffic everywhere between systems that trust that particular root CA. The correct way to MitM your own internal traffic (which there are valid reasons for in a corporate environment) is to generate your own certificate and set it as a trusted root certificate on all your own machines.
|
|
#
?
Oct 18, 2012 23:43
|
|
|
GrumpyDoctor posted:I don't really get the nuances of how PKI works, but am I correct in reading this as a CA that issued something that allowed some company to MITM all their traffic? (For simplicity I'm just explaining a web server<->browser connection here:) SSL certificates are considered valid by a browser if it can establish a chain of trust from the certificate the server sends to a certificate it "knows". These root certificates are shipped by the browser manufacturer, who has a set of policies which determines what certificates are eligible. Let's say you have a certificate for example.com. To check whether it should trust this certificate, the browser looks at the issuer. In this hypothetical case the issuer is CheapCertificates Intermediate CA, but the browser doesn't know that. So it looks at the issuer of the cert of CheapCertificates Intermediate CA, which is CheapCertificates Root CA. If the browser has this certificate in its root store, then it trusts the example.com certificate too. Otherwise it continues to check issuers until it reaches a certificate that is issued by itself; if it still doesn't know that one, then the browser will notify the user and show a scary warning message. Usually, if you buy a certificate from a certificate authority, the certificate they send you will have a flag set that means "this certificate can't issue other certificates", so you can't use your example.com certificate to sign a certificate for paypal.com. In this case though, the CA intentionally sold a certificate that didn't have this flag set, in order to allow the company to MITM their users' traffic. The problem with this is that nothing is really limiting the company to only MITM their own users; they have an intermediate CA certificate that's signed by a trusted root CA, one that's in the Mozilla root store. So if you're using a stock Firefox, the company can snoop on your traffic too (provided that they can route it via their servers, which they probably can't). I haven't checked with other browsers, but it's likely similar. In corporate settings, something like this is really inexcusable: the corporation owns the computers anyway, so they're free to install their own root CA in their browsers. That way they still gain the ability to MITM their own traffic, but browsers outside of their control don't trust their private CA.
|
|
#
?
Oct 19, 2012 00:03
|
|
|
Suspicious Dish posted:I'm actually curious, is there a good public API to get those? It seems like it should be an API provided by some government agency somewhere. It's about $10k/mo to get the rates from reliable sources, although you generally have three sources: Dealing 2000/3000 for some major currencies, EBS for Japan, and you can defer to Reuters or Bloomberg for everything else. There are no exchanges or government agencies involved in FX, it's a strange voluntary system in which trading firms submit latest prices to say Dealing 2000. I had a 6 month project to calculate the highs and lows of various currency pairs, amazing.
|
|
#
?
Oct 19, 2012 03:09
|
|
|
This probably doesn't belong in CoC or this thread, but how does foreign exchange trading work? To exchange my American Dollars with something else when I travel abroad, I find a US Embassy or a bank that deals with them, so I thought foreign exchange was centrally controlled. But from what it sounds like, rates are more like market influences between several independent traders, and the Dealing 2000 is the major exchange to follow, and what I assume the Embassy follows?
|
|
#
?
Oct 19, 2012 03:55
|
|
|
When you perform currency exchange you are literally selling a currency as if it were an ordinary good, like haricot beans or iron ore, in exchange for the local currency. It is not centrally controlled any more than the sales of other goods, but naturally there are large exchanges which represent sort of an averaged-out sale value based on supply and demand, which is in turn impacted by speculation.
|
|
#
?
Oct 19, 2012 04:51
|
|
|
Suspicious Dish posted:I'm actually curious, is there a good public API to get those? It seems like it should be an API provided by some government agency somewhere. KaneTW posted:The european central bank has one I think. I had to set that up at a former job. Some things to take into account: - The feed only updates on normal weekdays (at 3 pm CET). - There may be problems obtaining the feed, so have a policy for how long to retain the rates, and what to do if you can't get new data. - Consider how to handle your historical data. Rates change over time, and using the rates from today to do calculations on data from 2006 (or even last week) makes a significant difference. Two ways of doing it is either saving the rates in versioned tables by date, or getting the full historical feed when needed. Note the full feed does not have entries for dates where the daily feed was not updated. - Have an alert go off if an exchange rate changes more than some percentage day-to-day; you'll probably want to take special action (for instance with the Icelandic Krona a couple years back, we changed the way we handled that market to be less at risk). - You can do intra-currency conversions (GBP <> USD) by dividing their EUR rates, but as always, be wary of using floating point with money (better to use fixed point).
|
|
#
?
Oct 19, 2012 07:41
|
|
|
Suspicious Dish posted:I'm actually curious, is there a good public API to get those? It seems like it should be an API provided by some government agency somewhere. There are several good ones that require a subscription to use. I had a hell of a time trying to find a decent free one to just do a quick on-the-fly exchange rate calculation. I ended up using google's exchange rate calculator but even that isn't ideal. Annoyingly the response it returns isn't valid JSON. I'm struggling to think of a reason why, but all I can come up with is that google don't particularly want people using it in this way, so made it deliberately annoying. NtotheTC fucked around with this message at 09:38 on Oct 19, 2012 |
|
#
?
Oct 19, 2012 09:34
|
|
|
NtotheTC posted:There are several good ones that require a subscription to use. I had a hell of a time trying to find a decent free one to just do a quick on-the-fly exchange rate calculation. JavaScript code:EDIT: If you want to parse it, you'll need a parser that supports Javascript parsing, like Jackson (if you're on the JVM) This also seems to be a common thing with Google results objects. It could be an optimization to reduce the size of server responses, since every bit matters, or an artifact of GWT? In any case, there seems to be a Python lib for it as well: demjson (found relevant question at StackOverflow) Javascript (if you don't want to eval()): JSOL Doctor w-rw-rw- fucked around with this message at 10:24 on Oct 19, 2012 |
|
#
?
Oct 19, 2012 10:13
|
|
|
It can't be optimization, or they'd get rid of the spaces as well. I wonder what's going on there.
|
|
#
?
Oct 19, 2012 21:29
|
|
|
Because they don't want their private APIs to be parseable by morons? Dunno
|
|
#
?
Oct 19, 2012 21:37
|
|
|
There's a bunch of code that uses JavaScript literals instead of valid JSON, that's all. There's no secret plot.
|
|
#
?
Oct 19, 2012 21:38
|
|
|
Doctor w-rw-rw- posted:This also seems to be a common thing with Google results objects. It could be an optimization to reduce the size of server responses, since every bit matters, or an artifact of GWT? It's probably because they wrote their JSON library when that was considered acceptable behavior, and nobody at Google is in charge of fixing broken software. In this case, they're big enough where they don't have to make their APIs conform to standards: the API consumers will conform to Google.
|
|
#
?
Oct 21, 2012 22:18
|
|
|
It's also not a supported API, so they only need it to work with their own code.
|
|
#
?
Oct 22, 2012 01:15
|
|
|
It was probably also designed before JSON became a named thing.
|
|
#
?
Oct 22, 2012 02:00
|
|
|
Bored, I stumbled across this horror. With such beauties as: code:code:Calling ob_start, and.. The head.  Oh PHP developers, you so craaazy. Viggen fucked around with this message at 19:34 on Oct 22, 2012 |
|
#
?
Oct 22, 2012 19:32
|
|
|
The theory behind this isn't new, but I love it, nonetheless... http://files.samuellevy.com/trap.php A conversation came up with a co-worker that I'm doing a lot of code janitor work, and it's horrible, and I wish we could just pay someone ELSE to deal with it (hah, I am the someone else). The problem is that we wouldn't trust other people to get it right anyway ("other people" are why the code has to be so heavily janitored to begin with). Anyway, we figured that we should start booby-trapping code to keep other people out of it, and thus keep it looking clean.
|
|
#
?
Oct 22, 2012 22:47
|
|
|
bobthecheese posted:Anyway, we figured that we should start booby-trapping code to keep other people out of it, and thus keep it looking clean. Why not just trivially encode it and use some proprietary offsets within the compiler's instruction set to call an execute-and-stop? Edit: For instance, I call my trivial obfusication toy "gzphp" after a very common similar tool for binaries on *IX. You can likely guess what it does. 
Viggen fucked around with this message at 23:13 on Oct 22, 2012 |
|
#
?
Oct 22, 2012 23:01
|
|
|
bobthecheese posted:The theory behind this isn't new, but I love it, nonetheless... I have no idea what I'm looking at here, or how it acts as a booby-trap. E: I really hope the bit above --- SOURCE --- isn't the actual output of that code. 
|
|
#
?
Oct 23, 2012 01:55
|
|
|
You're looking at the output of the code. Edit: Ignore the last bit, I'm stupid. senrath fucked around with this message at 02:45 on Oct 23, 2012 |
|
#
?
Oct 23, 2012 02:03
|
|
|
Reading your own source file is cheating though.
|
|
#
?
Oct 23, 2012 02:05
|
|
|
|
| # ? May 21, 2024 09:08 |
|
|
More or less cheating than an empty file?
|
|
#
?
Oct 23, 2012 02:07
|
|