Re: [OT] Related to Security Concerns ( was: "please tell me why this is stupid")

2011-09-02 Thread Bob Sneidar
Duly hijacked, massaged into a joke, and sent to family and friends. :-) Bob On Sep 2, 2011, at 12:14 PM, Scott Rossi wrote: > >> You might also want to consider a simplification of the trick that >> Salseforce.com uses (albeit in their case, on top of SSL & username/password >> authentication

Re: [OT] Related to Security Concerns ( was: "please tell me why this is stupid")

2011-09-02 Thread Keith Clarke
d-d-d-d-d-drum...tshhh! :-) On 2 Sep 2011, at 20:14, Scott Rossi wrote: > >> You might also want to consider a simplification of the trick that >> Salseforce.com uses (albeit in their case, on top of SSL & username/password >> authentication) when a user logs in via an unknown machine (my g

[OT] Related to Security Concerns ( was: "please tell me why this is stupid")

2011-09-02 Thread Scott Rossi
> You might also want to consider a simplification of the trick that > Salseforce.com uses (albeit in their case, on top of SSL & username/password > authentication) when a user logs in via an unknown machine (my guess is > 'unknown IP address'). Apologies for the thread hijacking, just saw this

Re: please tell me why this is stupid

2011-09-02 Thread Keith Clarke
You might also want to consider a simplification of the trick that Salseforce.com uses (albeit in their case, on top of SSL & username/password authentication) when a user logs in via an unknown machine (my guess is 'unknown IP address'). The successful login is followed by a dialogue to send

Re: please tell me why this is stupid

2011-09-02 Thread Richard Gaskin
Thanks for chiming in, Dave: On 2 Sep 2011, at 16:33, Richard Gaskin wrote: So it occurs to me that before the authentication data is sent, the first request to the server app could be to ask for a token. This token would be a hash (probably SHA1) of the client app's IP address, the time in

Re: please tell me why this is stupid

2011-09-02 Thread Richard Gaskin
Bob Sneidar wrote: If both ends support OpenSSH then can't you simply get the public key for the machine the first time you connect and store that? But then of course, a wipe and reinstall of the OS hoses that. Apple computers natively support it, but Windows XP does not. (Not sure if Vista or

Re: please tell me why this is stupid

2011-09-02 Thread Dave Cragg
On 2 Sep 2011, at 16:33, Richard Gaskin wrote: > So it occurs to me that before the authentication data is sent, the first > request to the server app could be to ask for a token. This token would be a > hash (probably SHA1) of the client app's IP address, the time in millisecs, > and other a

Re: please tell me why this is stupid

2011-09-02 Thread Bob Sneidar
If both ends support OpenSSH then can't you simply get the public key for the machine the first time you connect and store that? But then of course, a wipe and reinstall of the OS hoses that. Apple computers natively support it, but Windows XP does not. (Not sure if Vista or Win7 have caught up

Re: please tell me why this is stupid

2011-09-02 Thread Richard Gaskin
Bob Sneidar wrote: What happens when you change the internet provider on either end? You need a mechanism for re-establishing the link. The system assumes the ISP won't be changed mid-session; the token is used only for the current session. -- Richard Gaskin Fourth World LiveCode trainin

Re: please tell me why this is stupid

2011-09-02 Thread Bob Sneidar
What happens when you change the internet provider on either end? You need a mechanism for re-establishing the link. Bob On Sep 2, 2011, at 9:33 AM, Richard Gaskin wrote: > Andre Garzia wrote: >> For the arbitrary data, use some shared secret between both instances, this >> way, someone in th

Re: please tell me why this is stupid

2011-09-02 Thread Richard Gaskin
Andre Garzia wrote: For the arbitrary data, use some shared secret between both instances, this way, someone in the middle can't fake the requests by simply knowing the IPs and the milliseconds... Just to clarify, they not only need to know the IP and milliseconds, but must also spoof the IP a

Re: please tell me why this is stupid

2011-09-02 Thread Bob Sneidar
But you would have to use a presumed shared secret and not store it. It couldn't be something that was chosen by the end user in the process of creating the key, because it would be discoverable. Bob On Sep 2, 2011, at 8:52 AM, Andre Garzia wrote: > Richard, > > For the arbitrary data, use

Re: please tell me why this is stupid

2011-09-02 Thread Andre Garzia
Richard, For the arbitrary data, use some shared secret between both instances, this way, someone in the middle can't fake the requests by simply knowing the IPs and the milliseconds... On Fri, Sep 2, 2011 at 12:33 PM, Richard Gaskin wrote: > I need a lightweight embeddable solution for encrypti

please tell me why this is stupid

2011-09-02 Thread Richard Gaskin
I need a lightweight embeddable solution for encrypting socket traffic between two LiveCode-based apps. This is peer-to-peer, so there is no other software involved (no Apache or anything else), just two apps each with an Internet connection, which may be anywhere in the world. For the purpos