Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #7917
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!xlned.com!feeder5.xlned.com!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.010 |
| X-Spam-Evidence | '*H*': 0.98; '*S*': 0.00; 'subject:Python': 0.06; 'variant': 0.07; 'python': 0.08; 'calculates': 0.09; 'executes': 0.09; 'given,': 0.09; 'hash': 0.09; 'host,': 0.09; 'solution,': 0.09; 'stolen': 0.09; 'pm,': 0.10; 'server,': 0.12; 'received:209.85.214.174': 0.14; 'received:mail- iw0-f174.google.com': 0.14; 'wrote:': 0.14; 'algorithmic': 0.16; 'angelico': 0.16; 'cable': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'non-python': 0.16; 'subject:server.': 0.16; 'suffers': 0.16; 'result,': 0.16; 'issue.': 0.19; 'solution.': 0.19; 'header:In-Reply-To:1': 0.21; "wasn't": 0.22; 'code.': 0.22; 'stuff': 0.22; 'ensuring': 0.23; 'code': 0.24; "doesn't": 0.25; '(and': 0.25; 'missed': 0.26; 'not.': 0.26; 'script': 0.27; 'example': 0.27; 'correct': 0.28; 'wondering': 0.28; 'message-id:@mail.gmail.com': 0.28; 'remote': 0.28; 'received:209.85.214': 0.28; 'sat,': 0.29; 'subject:web': 0.29; 'server': 0.29; 'sends': 0.29; 'toward': 0.29; 'code,': 0.29; 'bit': 0.30; "won't": 0.30; 'equivalent': 0.31; "didn't": 0.31; 'value.': 0.32; 'wanting': 0.32; 'someone': 0.33; 'to:addr :python-list': 0.33; 'post': 0.33; 'actually': 0.33; "i've": 0.33; 'rather': 0.34; 'question': 0.34; 'chris': 0.34; 'concepts': 0.34; 'that,': 0.34; 'there': 0.35; 'duplicate': 0.35; 'executable': 0.35; 'realise': 0.35; 'ssl': 0.35; 'usual': 0.35; 'using': 0.35; 'quite': 0.36; 'data,': 0.36; 'systems,': 0.36; 'open': 0.36; 'program,': 0.37; 'data.': 0.37; 'received:google.com': 0.37; 'something': 0.37; 'received:209.85': 0.37; 'case': 0.37; 'two': 0.37; 'could': 0.38; 'anything': 0.38; 'but': 0.38; 'data': 0.38; 'subject:: ': 0.38; 'some': 0.38; 'should': 0.39; 'client': 0.39; 'received:209': 0.39; 'spent': 0.39; 'difficult': 0.39; 'to:addr:python.org': 0.39; 'submitting': 0.40; 'really': 0.40; 'easily': 0.60; 'more': 0.60; 'best': 0.60; 'your': 0.60; 'matter': 0.63; 'plus': 0.65; 'website': 0.66; 'prove': 0.68; 'as:': 0.71; 'apart': 0.73; 'boss': 0.73; 'with,': 0.77; 'strategies': 0.78; 'complex,': 0.84; 'elaborate': 0.84; 'materially': 0.84; 'ridiculously': 0.84; 'spoof': 0.84; 'subject:Verify': 0.84; 'good,': 0.91; 'hostile': 0.91; 'certificates': 0.95 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=tB1rOb07G/kszqUcmifhiIErREdryie99kb5LJQAxZE=; b=SmlujHdHaUDpsQztqFyBQyoAP8dZDbJp/hYnLsu2DD4O4Up1qqaKrGzGUOpuvrlkQf fSFAsyEz1IwCjuRKKm/IZQIKzJGI2HBMP6lnpIbLo4q5ML9Ibk3xV/n2ETpbl2Mwh0Vg 41LXiikHVJ2Zv7EHQT0DDXsLTRInH/7HgWf80= |
| DomainKey-Signature | a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=w6N8eyHRpKIGrezPiSs3hwLtGCrOD3q3ioq8fMVRA3sNRX6WzpbEyiLNxlR1JLEpy0 AnVvoMZEq4KAfQzlsq3qu3qX8A9AdXqx7bcQQ94n/Mj2fmpi/SKvJmgt1QoFgORybsJU X3vm+5UB/O5nyDGarRt+oxmDrOL1EBJAIZjhM= |
| MIME-Version | 1.0 |
| In-Reply-To | <d8c7dc52-0c54-4b29-a7b6-bcd833686611@q12g2000prb.googlegroups.com> |
| References | <d8c7dc52-0c54-4b29-a7b6-bcd833686611@q12g2000prb.googlegroups.com> |
| Date | Sun, 19 Jun 2011 03:26:14 +1000 |
| Subject | Re: Strategy to Verify Python Program is POST'ing to a web server. |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=ISO-8859-1 |
| Content-Transfer-Encoding | quoted-printable |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.12 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.127.1308417979.1164.python-list@python.org> (permalink) |
| Lines | 55 |
| NNTP-Posting-Host | 82.94.164.166 |
| X-Trace | 1308417980 news.xs4all.nl 49039 [::ffff:82.94.164.166]:45329 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | x330-a1.tempe.blueboxinc.net comp.lang.python:7917 |
Show key headers only | View raw
On Sat, Jun 18, 2011 at 9:34 PM, mzagursk@gmail.com <mzagursk@gmail.com> wrote: > I am wondering what your strategies are for ensuring that data > transmitted to a website via a python program is indeed from that > program, and not from someone submitting POST data using some other > means. I find it likely that there is no solution, in which case what > is the best solution for sending data to a remote server from a python > program and ensuring that it is from that program? You're correct there: there is no solution. Everything on the other side of your network cable should be treated as hostile and spoofed. But the real question is, how much effort are people likely to go to to avoid using your program? SSL certificates are good, but they can be stolen (very easily if the client is open source). Anything algorithmic suffers from the same issue. In the example you gave, there's no solution. Someone could easily spoof it and stuff the ballot. But if you make that more difficult than the survey is worth, then you can largely trust your data. The other common reason for wanting to be sure that the far end really is your script is when you're trusting the client to do data validation. There's a solution to that one: repeat the validation on the server, and then it doesn't matter if they use your program or not. (And before you cry "Isn't that obvious?", a lot of people have completely missed that point.) In neither case can you prove what program was on the far end. You're working with network packets, so anything can be spoofed. You could go a long way toward it, though, by using something ridiculously complex, such as: * Client connects via SSL to host, using a known certificate. * Server verifies certificate, and sends client some Python code to execute. * Client verifies the server's certificate (vital!). * Client executes the code it's given, and based on the result, plus some other data, sends the server a hash value. * Server executes the same code it gave the client, knows the data it was working with, and calculates the equivalent hash. * If the two hashes match, the client is deemed to be valid. This is a variant of the usual nonce-based hashing systems, where the nonce in question is actually executable code. By randomizing the code, you can make it difficult for any non-Python program to duplicate the hash algorithm. But it still won't provide certainty, by any means. I've spent quite a bit of time this past fortnight explaining some of these concepts to my boss and one of my coworkers; they were building a rather elaborate system but didn't realise that, apart from requiring about three times as much data from /dev/random, it wasn't materially different from a simple SSL cert check... Chris Angelico
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Strategy to Verify Python Program is POST'ing to a web server. "mzagursk@gmail.com" <mzagursk@gmail.com> - 2011-06-18 04:34 -0700
Re: Strategy to Verify Python Program is POST'ing to a web server. Eden Kirin <eden@bicikl.> - 2011-06-18 14:32 +0200
Re: Strategy to Verify Python Program is POST'ing to a web server. Michael Hrivnak <mhrivnak@hrivnak.org> - 2011-06-18 13:05 -0400
Re: Strategy to Verify Python Program is POST'ing to a web server. Chris Angelico <rosuav@gmail.com> - 2011-06-19 03:26 +1000
Re: Strategy to Verify Python Program is POST'ing to a web server. Tim Roberts <timr@probo.com> - 2011-06-18 12:37 -0700
Re: Strategy to Verify Python Program is POST'ing to a web server. Michael Hrivnak <mhrivnak@hrivnak.org> - 2011-06-18 16:40 -0400
Re: Strategy to Verify Python Program is POST'ing to a web server. Gregory Ewing <greg.ewing@canterbury.ac.nz> - 2011-06-19 12:38 +1200
Re: Strategy to Verify Python Program is POST'ing to a web server. Chris Angelico <rosuav@gmail.com> - 2011-06-19 10:54 +1000
Re: Strategy to Verify Python Program is POST'ing to a web server. Paul Rubin <no.email@nospam.invalid> - 2011-06-18 14:03 -0700
Re: Strategy to Verify Python Program is POST'ing to a web server. Terry Reedy <tjreedy@udel.edu> - 2011-06-18 17:17 -0400
Re: Strategy to Verify Python Program is POST'ing to a web server. Chris Angelico <rosuav@gmail.com> - 2011-06-19 09:12 +1000
Re: Strategy to Verify Python Program is POST'ing to a web server. Nobody <nobody@nowhere.com> - 2011-06-19 05:47 +0100
Re: Strategy to Verify Python Program is POST'ing to a web server. Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2011-06-19 12:03 +0000
Re: Strategy to Verify Python Program is POST'ing to a web server. Paul Rubin <no.email@nospam.invalid> - 2011-06-19 05:18 -0700
csiph-web