webmater question

Matthew Carpenter matt
Thu May 12 08:44:38 PDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rick Sivernell wrote:

> Lonnie
>
> Point made, I also understand what you have said and why. The web
> site is my place to make a living. At my age, companies here in
> Dallas pass me by: one I am 59, 2nd I command much larger salary
> than younger people. I also have much more experience, along with
> more variiatyt of experience. One other thing, I do not politic at
> work, I am rather blunt. So the site stays, but I have already,
> earlier today, removed any of that type of code. At this time I am
> not the best htmler asp developer, but soon I will be. Lonnie, I
> always enjoy your post, no matter the content. Most will cause one
> to stop and think some more.

Rick, I can understand where you're coming from, but don't you think
that anyone who might critique or make use of your code would also
have a tool like wget or lynx which can dump the raw code to a file?
I'm intrigued with whatever gismo was used to disable the right click
and the view source features as well, but it's just not worth the
work.  It's likely different for Firefox and IE, and there are a
plethora of tools which would circumvent it without your control.

Key point of net-app security: Never trust components over which you
have no control.  This can be paraphrased as "security must live on
this side of the firewall".  If you have code you are interested in
protecting, it better be in the server-side code.  This includes the
non-HTML components of ASP and JSP pages.  Just the HTML and the
results of the embedded code is vulnerable to prying eyes.  The
absolute truth in HTML programming is that you simply cannot protect
what get's handed out over the network from those who are allowed to
use it.

Tools which can view your source code: Paros, Squid, wget, lynx, or
simply tcpdump / Ethereal.
Your best bet is simply documenting and formatting well.  If someone
doesn't know about those tools, they likely will be duped by the
adherance to "pretty" standards.  If they can see beyond the
well-formatted code, you're not going to keep them from seeing your HTML.

- --
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCg0beso9lqh4MragRAgi6AKDXCZsbX0Iwv+Z4BOhPnYEW5cLxJgCgx19f
DT4xAtaAGSp9PbF5bt9JHQg=
=VmJq
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list