Hi, Good summary Ben. Mike - no worries for jumping the gun, about 50% of replies have been similar. I'm still learning how to tailor these communications to reduce line noise; any suggestions would be welcome.
In fact, MD5 is fine for this use, the scheme doesn't rely on the collision resistance property. And I suggest using salts to reduce the impact of rainbow tables. SHA1 is probably the best bet, simply because the js file is the smallest. General response from TG/Django is basically +0 "we'll probably accept it if you implement it". Obviously I'm not going to implement this for every web framework under the sun, but I think I will for repoze.who. If you guys want to add to AuthKit, happy to help/advise, if someone else leads. I am a security specialist, have worked in web security for many years. This is a small improvement really. I remember the online banking site where you could transfer money out of others' accounts, by tampering with hidden fields. Or the multi-million currency trading site where you could change the exchange rate in a hidden field. Or the rich text editor where you could upload a .aspx file and compromise the server. And many many more :-) Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en -~----------~----~----~----~------~----~------~--~---
