[PLUG] Secret message web page

Ed Sawicki ed at alcpress.com
Mon Apr 16 16:29:36 UTC 2007


Keith Lofstrom wrote:
> I set up a "secret message to Keith webpage".  I think.  As I am
> not a security guru, I could use some help checking my logic.
> 
> PGP is too hard for most people to figure out.  About every 6 months
> or so, some random computer-illiterate semistranger needs to send
> me a short secret message, say to send a password or encryption key.
> These are not high grade defense-level secrets, but a little more 
> than I want to trust to clear-text email.
> 
> Hence the webpage.  It is a simple form, accessable through port 443
> (SSL https web service) on my server:
> --------------------------------------------------------------------
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head>
> <meta name="description" content="Send Keith a Message form">
> <title>Send Keith a Message</title>
> </head><body>
> <FORM METHOD=POST ACTION="https://www.keithl.com/cgibin/XXXXXXXXX.cgi">
>    <INPUT TYPE="hidden" NAME="FORMVERSION" VALUE="XXXXXXXX.html 2007Apr14 KHL">
>    Enter text to send to Keith Lofstrom in this text box
>    <INPUT TYPE="submit" NAME="EXECUTE_OPTION" VALUE="Send page to Keith">
>    <br><TEXTAREA ROWS=20 COLS=90 NAME="TEXT53"></TEXTAREA>
> </FORM></body></html>
> --------------------------------------------------------------------
> 
> The POST data is sent to the XXXXXXXX.cgi script (name obscured) on
> my server, which sends back a confirmation page (https of course)
> and emails me (internally, over a VPN link) the information and 
> some environment information such as the date, the script and form
> names, the IP address of the remote browser, and whether HTTPS is
> turned on.
> 
> This is not bulletproof;  it is a self-signed cert, for example, so
> it is somewhat vulnerable to a man-in-the-middle attack.  But hey,
> if Eve works that hard to access the information, she would be more
> interesting to talk to, anyway.  :-)
> 
> Is this an acceptable approach, or it it too weak to bother with?

Self-signed certificates are not necessarily more vulnerable
to MITM attacks than certificates signed by the Certificate
Authorities that Web browsers know about. Just get these
people to import your CA certificate into their browsers.
Of course, the problem here is how do they know if they're
importing a legitimate certificate for your CA. You can
provide this assurance to them by having your Web site
protected by a certificate issued by a CA that is already
known to their browser.

You can further reduce the risk of MITM (and other attacks)
by having them use browser-side certificates (so your Web
server knows the client is genuine). You can issue these
certificates to them using your own CA.

Then you have the problem of ensuring your CGI script is secure.

I favor not using browsers and Web servers when you have
to move sensitive data. Take it "out of band". Provide them
a program that knows how to send the data to you over a
secure, authenticated channel that's independent of the rest
of the world. If they're running Windows, you're a bit
limited but there's Putty that can be wrapped up in a bit of
Python, tclkit, Java WebStart, etc.

Ed




> Keith
> 




More information about the PLUG mailing list