[Catalyst] Encrypt /Decrypt URI

Matija Grabnar matija at serverflow.com
Fri May 18 18:55:35 GMT 2007 

Bill Moseley wrote:
> What you are proposing is if item 7 is instead encoded as
> 84bc3da1b3e33a18e8d5e1bdd7a18d7a then they are less likely to try
> other numbers because of, ... why?  Because it's too daunting of a task?
> It's a big scary md5 instead of a primary key?
>   
Well, in a way. Because the space they need to search to find the "next" 
item in a md5 or similar scheme is many orders of magnitude larger than 
in a system where the numbers are consecutive  (i.e. o(1)).
> Of course, what you want is a method that requires checking that the
> user can access the item.  Something like:
>
>     $item = $user->get_user_item( $id );
>   
The problem comes when you have an intersection between public data, and 
not yet public data.
A real-world example that comes to mind was the CMS of a cineplex. They 
uploaded promotional material for forthcoming movies. Part of the CMS 
was the image store which was directly accessible to Apache, so it could 
serve the pictures with maximum efficiency. The CMS implemented before I 
was on the project used consecutive numbers for the pictures, and they 
saw from their logs (and posts on adolescent-frequented forums) that 
visitors would try to get higher numbers, in order to see which movies 
were coming, so they could post first in the forums and brag about their 
knowledge. This was a problem because they were contractually obligated 
not to hint about coming movies until the appropriate information 
release date.

Simply assigning the pictures random names in a very large (I think it 
was 64 character) string space completely stopped those attempts, with 
minimal code changes. Separating the image storage into a
"open" image storage and "closed" image storage would have meant bigger 
code changes.

The same thing could happen when you have an on-line shop where items 
are potentially visible when they are entered into the shop system, but 
not yet listed in the indices. You very probably don't want
those items visible, and while checking at every step if the item is 
valid is a laudable practice, which should be followed, giving your 
items randomized identifiers can still significantly reduce
your attack surface, for very little cost.

I'm not saying it's a panacea, or that it should be practiced to the 
exclusion of other methods, but it is IMHO, a viable part of any defense 
in depth.

More information about the Catalyst mailing list