Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.044
X-Spam-Evidence: '*H*': 0.91; '*S*': 0.00; 'executing': 0.05; 'subject:Python': 0.06; 'involves': 0.07; 'executed': 0.09; 'stolen': 0.09; 'pm,': 0.10; 'am,': 0.14; 'wrote:': 0.14; '"if"': 0.16; 'algorithmic': 0.16; 'angelico': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'subject:server.': 0.16; 'suffers': 0.16; 'verifying': 0.16; 'meant': 0.18; 'issue.': 0.19; 'header:In-Reply-To:1': 0.21; 'opens': 0.23; 'received:209.85.210.174': 0.23; 'received:mail- iy0-f174.google.com': 0.23; 'code': 0.24; 'point,': 0.25; 'user.': 0.26; 'message-id:@mail.gmail.com': 0.28; 'sat,': 0.29; 'subject:web': 0.29; 'server': 0.29; 'toward': 0.29; 'signed': 0.29; 'bit': 0.30; 'sun,': 0.30; 'changes': 0.30; 'seem': 0.32; 'michael': 0.32; "can't": 0.32; 'app': 0.32; 'does': 0.33; 'to:addr:python-list': 0.33; '...': 0.34; 'chris': 0.34; 'describe': 0.34; 'nobody': 0.34; 'ssl': 0.35; 'using': 0.35; 'open': 0.36; 'too.': 0.37; 'received:google.com': 0.37; 'something': 0.37; 'received:209.85': 0.37; 'another': 0.37; 'put': 0.37; 'could': 0.38; 'anything': 0.38; 'but': 0.38; 'data': 0.38; 'somewhat': 0.38; 'subject:: ': 0.38; 'user': 0.39; 'client': 0.39; 'received:209': 0.39; 'to:addr:python.org': 0.39; 'possibility': 0.40; 'easily': 0.60; 'your': 0.60; 'address': 0.62; 'unique': 0.63; 'here': 0.66; 'prove': 0.68; 'as:': 0.71; 'stand': 0.71; 'failure': 0.73; 'abuse.': 0.84; 'complex,': 0.84; 'namely': 0.84; 'ridiculously': 0.84; 'subject:Verify': 0.84; 'checks.': 0.91; 'good,': 0.91; 'certificates': 0.95; 'safer': 0.95
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=15ACOSnqAoBbtGs1A5mN406YxoQ4rjue07/leAmnkoM=; b=ZiTiQVuBTjDzU2Fvi8QztBkh/Qq54c8AMVZTRRvyLqeXE0DACps+IWAd/TQeOi92V6 gxbAF5VB/BZI3p0jn6gDi9DLS/vFPy66eV4hjPC1UvMD6GK5YWzoSffVt2FhIrWPZMV0 oie3nzr9Yy3IIKNZbvRc3AZuDVNG8ZN+2kZoo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=hXBQ6bMQQ1Gzd0DTzIsnDrgR7njOemJeL/zMrsvzzJ7LC3kh4HbpT+pJXPhnCQiFej g3fa1F3r821lsQ+Mqg/ZQQ98VmqQkp2sEOnPQhiazx+V3KpDlf5vSSRBN/UQ36BAqtlf 3Oq9jOpytpB9w+f6wRBJnhDiqnmLfpVCEG790=
MIME-Version: 1.0
In-Reply-To: <BANLkTi=fU9p3b_JQK_jtAf3NYhcbzFoOcA@mail.gmail.com>
References: <d8c7dc52-0c54-4b29-a7b6-bcd833686611@q12g2000prb.googlegroups.com> <BANLkTim5phU5X0CXhCNsY75OjqDCLvkXtg@mail.gmail.com> <BANLkTi=fU9p3b_JQK_jtAf3NYhcbzFoOcA@mail.gmail.com>
Date: Sun, 19 Jun 2011 09:12:13 +1000
Subject: Re: Strategy to Verify Python Program is POST'ing to a web server.
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.132.1308438742.1164.python-list@python.org>
Lines: 42
NNTP-Posting-Host: 82.94.164.166
X-Trace: 1308438742 news.xs4all.nl 49183 [::ffff:82.94.164.166]:40658
X-Complaints-To: abuse@xs4all.nl
Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:7929

On Sun, Jun 19, 2011 at 6:40 AM, Michael Hrivnak <mhrivnak@hrivnak.org> wro=
te:
> On Sat, Jun 18, 2011 at 1:26 PM, Chris Angelico <rosuav@gmail.com> wrote:
>> SSL certificates are good, but they can be stolen (very easily if the
>> client is open source). Anything algorithmic suffers from the same
>> issue.
>
> This is only true if you distribute your app with one built-in
> certificate, which does indeed seem like a bad idea. =A0When you know
> your user base though, especially if this is a situation with a small
> number of deployments, than you can distribute a unique certificate to
> each client, signed by your CA.

That changes it from verifying the program to verifying the user. It's
a somewhat different beast, but it still leaves the possibility of
snagging the cert and using it in another program. Same with IP
address checks. You can't prove that the other end is a particular
program.

>> You could go a long way toward it, though, by
>> using something ridiculously complex, such as:
>> ...
>
> An authentication process that involves the client executing code
> supplied by the server opens up one single point of failure (server is
> compromised or man-in-the-middle attack is happening) by which
> arbitrary code could get executed on the client. =A0Yikes!

Yeah, hence the part of verifying the server's cert too. That one is a
bit safer though; nobody but you will have that certificate, so it's
not as easy to take and put into another program. But this whole
scheme was meant from the start to be ridiculous.

> If ...
> then you'll have to accept that you cannot trust the submitted data
> 100%, and just take measures to mitigate abuse.

I still stand by my original point, namely that the "if" on here is
superfluous, and the "then" is unconditional. But the measures you
describe _do_ reduce the likelihood significantly.

ChrisA