792900+ entries in 0.471s
mircea_popescu: that's nice, had
too much quite in
there anyway. check it ?
pankkake: I don't know why you mangled
those
two
things
together
pankkake: i.e. anything after "Probably because of
the BEAST attack"
pankkake: mircea_popescu: your irc copy paste is broken,
the last part is about using RC4, and not related
to
the rest
ThickerThanThiev: I'm also not savvy on cookies, but my naive question is, why doesn't
the browser manage user auth?
mircea_popescu: to quote george for you, "They're men with jobs, Jerry! ...
They're married,
they have secretaries."
water4ll: I
tried
to write a blog once, after 5 minutes I found myself opening some new
tabs
mircea_popescu: lol you
think
that's wow,
talk
to benkay. i
think he's done
thirty
this week.
mircea_popescu: like
that jimmothy fellow. "ingore everything
that's said, quote wikipedia"
jurov: and
then again and again
jurov: oh, it was announced
there when I put it online\
jurov: and if you want
to
try coinbr, you have free 1 month
till next monthly fee and 1 free withdrawal
jurov: yes, i just left it
there
water4ll: BTCT I
thought closed down some
time ago
jurov: yes, it's
the passthrought from BTCT
jurov: they paid (or have
to pay monthly)
jurov: it clearly shows
they don't give a fuck
jurov: water4ll, i'm doing S.MPOE/BBET-PT passthrough payout and in 3 months so far only half of people went
through it
mircea_popescu: water4ll listen,
there's a difference between "i don't want X
to be
true and
therefore i'll say
things" and "X is surprising".
mircea_popescu: water4ll yes,
the fact
that mpex is a respectable exchange makes it have consistent volume
water4ll: and high value
traded
too, none of
that 0.05btc nonsense
jurov: i'd say
the barrier motivates people
to
take care of
their assets
water4ll: well it's a higher barrier
to entry
than say havelock
water4ll: I'm just a little surprised at consistent
trading volume
jurov: water4ll,
there were ~40 new mpex accounts last month alone
nubbins`: anyway,
time
to strap myself
to a
torture machine for an hour, seeya
KRS-: large intranets would prob use
that
nubbins`: "to continue sir graham's quest,
type
the 8th word on page 5"
KRS-: pankkake: probably because
the CA cert won't complete
the certificate chain for
the general public.
The cert would have
to be signed by a custom CA I
think.
mircea_popescu: "please look in your manual
to continue moving larry around
the lounge"
mircea_popescu: nubbins`
that korea story reminds me of playing old z80 games
nubbins`: i should
take a dump before
the gym
pankkake: CACert allows you
to authenticate with a browser certificate,
though. I don't know any other website allowing it
KRS-: Ya wonder why
that is..it seems pretty solid
to me.
KRS-: One exception was
the Florida
Turnpike Enterprise (a private business implementation of a government roadway function
to accept
tolls and what not)..they had a firm grasp on I.T. security from
their payment processor
to
their wireless roadway nodes..I was very impressed.
pankkake: sadly
the gpg over
http projects seem
to go nowhere
KRS-: pankkake I've done a lot of consulting...from
the private sector
to government..none of
them got it right. I imagine
the big guys do like BOA, Google, etc.
pankkake: 1) it's a bank 2) it's a FRENCH bank 3)
their website reeks incompetence
KRS-: seems
to be
the case everywhere..
KRS-: hopefully
they are using it
together with another mechanism, which is probably
the case and would be just fine.
pankkake: KRS-: probably because of
the BEAST attack, but
they must have botched
the configuration
KRS-: securing
transport layer is hard anyway
nubbins`: when i lived in korea, my bank required
that i ran an activex control, had a cookie stored on a usb
thumb drive, and asked for
two separate five-digit codes from a list of about 50
that were provided as a wallet-sized card
pankkake: and if you
try
to force it
to do something else, it rejects you
nubbins`: if you're worried about cookies being stolen,
there should be no such checkbox on your site either
nubbins`: if you're
that worried, just let
the auth cookies expire after a half hour.
pankkake: when I did implement
that
thing, it was more because I wanted cookies
to expire in a smarter way
pankkake: it's not going
to be very good
pankkake: it's a way
to ensure you only have fresh cookies - stealing old cookies cannot work
KRS-: maybe
to incorporate
the salt+nonce
that mircea_popescu was
talking about?
nubbins`: why even bother with all
the hocus pocus?
nubbins`: so you can verify it's
the same user logging in each
time, unless
they perform a relatively common, semmingly benign action, like clearing
their cookies
pankkake: so it allows auth cookies
that still expire fast, while not forcing you
to relogin if you visit
the site often
nubbins`: sure, but suppose
the user clears his cookies.
pankkake: ooh actually I wrote something like it earlier, without
thinking much about it.
the auth cookie has an expiration, but at every session cookie recreation,
the auth cookie is refreshed
nubbins`: you're no longer verifying it's anybody if
the old cookie is gone, no?
nubbins`: so let's suppose
the user loses
their old cookie, what
then?
KRS-: ya its hard
to find work as sysadmin where I live, but
the work lasts a very long
time.
pankkake: but
the auth cookie
thing is interesting. it wouldn't be so hard
to write a more secure implementation
that most of what's out
there
nubbins`: i read like halfway
through
today
KRS-: This is my kind of it work, not much of a developer..love
this stuffl.
nubbins`: what are you guys
talking about, anyway
pankkake: the session cookie isn't kept. if you close
the browser, it's removed, etc.
KRS-: I've dealt with
this problem before. You have
to carefully pick a load balanced strategy or pick another session persistence.
nubbins`: had
to
troubleshoot a web app once where
there was a round-robin load balancing setup. each new page request launched a new session, up
to a max of 3 (the number of servers)
pankkake: no, it doesn't change,
that's
the point
mircea_popescu: KRS- inasmuch as
they all run your code
they all know about
the cookie.
KRS-: Load balanced web servers would associate
that cookie
to one particular web server, if
the load balancer stategy isn't carefully chosen (if possible) when
the load balancer shifts
traffic
the cookie could become invalid beecause another web server doesn't know about
the cookie.
mircea_popescu: pankkake so is
the session cookie changed on each pageload ?
pankkake: and we're only
talking about
the auth cookie
pankkake: but usually
the process is
that you have an auth cookie (lifetime = high), and a session cookie (lifetime = short)
pankkake: KRS-: it's a signed cookie, not session cookie; and managing sessions over multiple servers is possible
too
mircea_popescu: eventually he asks a supervisor : so when do you skewer
their meatflaps already ?)
KRS-: pankkake: good luck with
that cookie strategy if you are using multiple web servers
mircea_popescu: (guy walks into a girlscout cookie clambake. as
the festivities progress he keeps getting more and more excited
nubbins`: great for industrial buildings as well as
the home!