Menu
▾
▴
Re: [Expectperl-discuss] keyboard input
|
From: Roland G. <r.g...@xs...> - 2001-07-02 16:03:06
|
Aziz Ihsanoglu wrote: > > thanks for warning me for the security issues. What I am trying to do is > building an e-commerce for my course project. It requires that the customers > should sign the purchase order and mail it to the orders department so he > cannot deny that he did the order. That's why I have to generate keys for > every customer when they register to the site. OK, it's only for a course, but this design has severe security flaws in it. How exactly are you verifying your customers identity when he registers at your website? The best you can do is to verify his address by sending him a password via postal mail and/or his phone number by calling him back. Just letting anybody register and giving them a key for later perusal doesn't buy anything security-wise. Also, are you requiring that your customers install PGP? Not a good choice. PGP needs too much technical expertise to handle and install. I would use other ways: you can have the webbrowser create a key pair, sending the public part to your server and storing the private part. Netscape uses a <KEYGEN> HTML tag, don't know about Explorer. Only my EUR 0.02 > I couldn't find any ways > doing this without using expect. I actually solved that part with send_slow > function and some loops. but my cgi script is not working great from > apache. when I run it with root access it doesn't have any problem. I tried > to setuid the script but it gives an error on the 114th line of the > expect.pm. It would have been helpful if you had posted the error message... > What do you think is problem. ANy help would be appreciated/ > Thank you. I guess it's a tainting problem. Some part of the command given to spawn comes from an unreliable source and is thus tainted. See 'perldoc perlsec'... Hope this helps, Roland > > > > a-i...@no... wrote: > > > > > > I have a small problem with expect.pm. I am using expect module to create pgp > > > keys with my pgp program. The problem is since expect just enters the data with > > > constant time, pgp cannot doesn't collect enough random data and that's why > > > cannot create the keys instantly and requires user to enter some random data > > > from the keyboard. I tried to print some long random text but pgp doesn't get > > > any of it. I think it requires the random data to be inputted from the > > > keyboard. Is there any way to do that? Any help would be appreciated. Thanks in > > > advance. > > > > Well, this isn't supposed to work that way. PGP does everything to get > > real random numbers by timing the user keystrokes, and this requires > > low-level interaction wiht the keyboard driver, circumventing the regular > > pty that Expect uses. > > > > So basically, this is a PGP issue: if you can get PGP to not query the user > > for random bits, then it is doable. > > > > On the other hand: why would you want to automate such a security-sensitive > > action? The keys are to be protected by a pass-phrase, which should be > > kept secret by all means, so automating this is counter-productive. > > Creating a public/secret key pair is analogue to opening a bank account, > > something that you don't do on a daily basis either. > > > > Hope this helps, > > > > Roland > > -- > > RGi...@cp... > > > > _______________________________________________ > > Expectperl-discuss mailing list > > Exp...@li... > > http://lists.sourceforge.net/lists/listinfo/expectperl-discuss > > -- RGi...@cp... |
