"So the best practice is to simply avoid this difficult problem entirely." are you telling me not to encrypt those buttons at all ? Can you guys give me suggestions on how to deal with this or the best way to solve ?
On Jan 10, 2008 11:48 AM, Victor Duchovni <[EMAIL PROTECTED]> wrote: > On Thu, Jan 10, 2008 at 11:41:54AM -0500, deep sky wrote: > > > The variables in the html code can be viewed and someone can mimic the > page > > and change the price and stuffs. > > Don't store sensitive state in hidden form fileds pushed to the user's > browser. Merely encrypting the data is not a sufficient defense, it > needs to be signed *in contex*, otherwise various replay and substitution > attacks become interesting. Few developers are able to get this right and > keep it right through evolutionary updates. So the best practice is to > simply avoid this difficult problem entirely. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
