[Psi-devel] Re: Re: Re: Re: Re: Remote Controlling Psi
Justin Karneges
justin-psi at affinix.com
Tue Jan 4 13:52:23 PST 2005
On Tuesday 04 January 2005 01:49 pm, Remko Troncon wrote:
> > If so, then all you need is for the command server to supply a random id
> > in the form. When the client submits the command request, just include
> > the id. This is how replay attacks are solved in all "live" protocols.
>
> This still doesn't save you from an evil admin, who waits for a client
> to issue an ad-hoc command, and reroutes a reply on the message
> (containing sensitive information, namely the file or a file listing or
> whatever) to himself.
> The main problem in this very special case is that the sensitive
> information is coming in a reply, and so the admin can reroute this
> information to himself. I don't see another solution than to encrypt the
> information, to make sure that no one but the initial requester can do
> something with it.
Of course. I was only suggesting a solution to the replay attack. You'd
still need to sign the request for it to be effective, as well as encrypting
it to prevent viewing.
-Justin
More information about the Psi-devel-affinix.com
mailing list