Blowfish seed visible

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Blowfish seed visible

Roddie Grant
While developing a site I generated an error with BlowFish and was alarmed
that the error message displayed the seed

> Invalid data passed to Decrypt_BlowFish. The data was less that 16 characters
> long or was not an even number of characters. '321'
> at: blowfish with params: -Seed='The seed was shown here!', 'The string here'

Is this just a lesson in being more careful, or could I reasonably expect
the error message to omit the seed? Is it a bug?

Roddie Grant



============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Blowfish seed visible

Fletcher Sandbeck
> While developing a site I generated an error with BlowFish and was
> alarmed that the error message displayed the seed
>
> > Invalid data passed to Decrypt_BlowFish. The data was less that 16
> > characters long or was not an even number of characters. '321' at:
> > blowfish with params: -Seed='The seed was shown here!', 'The string
> > here'
>
> Is this just a lesson in being more careful, or could I reasonably
> expect the error message to omit the seed? Is it a bug?

I would say a little of both.  Passwords which are contained within your
Lasso pages are susceptible to being seen in error messages or due to
server misconfiguration.

However, Lasso does obscure any parameter named -Password within an
error message to prevent this kind of inadvertant exposure.  I will file
a feature request that we should also obscure -Seed and -Key.

I would suggest storing your password up at the top of the page in a
variable, or in an include file.  Then the error message will show
-Seed=$mySeed or similar.  There are also methods of wrapping the
encrypt tags in your own custom tag so the seed is actually defined at
startup.

On a public facing site you should dial the error reporting down to none
or use a custom error page which does not show the syntax error to the
site visitor.  Instead you can email the error message to yourself.  You
can also use an IP check so you show yourself a full error message and
show visitors a generic error message.

<http://www.omnipilot.com/TotW.1768.9217.lasso>

[fletcher]
--
Fletcher Sandbeck                         [hidden email]
Director of Product Development       http://www.lassostudio.com
OmniPilot Software, Inc.                http://www.omnipilot.com

============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Blowfish seed visible

Adam Randall-2
In reply to this post by Roddie Grant
On Tue, 13 Feb 2007 16:05:18 +0000, Roddie Grant wrote:

> While developing a site I generated an error with BlowFish and was alarmed
> that the error message displayed the seed
>
>> Invalid data passed to Decrypt_BlowFish. The data was less that 16
>> characters
>> long or was not an even number of characters. '321'
>> at: blowfish with params: -Seed='The seed was shown here!', 'The
>> string here'
>
> Is this just a lesson in being more careful, or could I reasonably expect
> the error message to omit the seed? Is it a bug?

I've always wanted it to be hidden myself.

Adam.

--
-----------------------------------------------------------------------
Adam Randall                                       http://www.xaren.net
[hidden email]                                   AIM/iChat:  blitz574

"Macintosh users are a special case. They care passionately about the
Mac OS and would rewire their own bodies to run on Mac OS X if such a
thing were possible." -- Peter H. Lewis

============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Blowfish seed visible

Roddie Grant
In reply to this post by Fletcher Sandbeck



On 13/2/07 16:45, "Fletcher Sandbeck" <[hidden email]> wrote:

>> While developing a site I generated an error with BlowFish and was
>> alarmed that the error message displayed the seed
>>
>>> Invalid data passed to Decrypt_BlowFish. The data was less that 16
>>> characters long or was not an even number of characters. '321' at:
>>> blowfish with params: -Seed='The seed was shown here!', 'The string
>>> here'
>>
>> Is this just a lesson in being more careful, or could I reasonably
>> expect the error message to omit the seed? Is it a bug?
>
> I would say a little of both.  Passwords which are contained within your
> Lasso pages are susceptible to being seen in error messages or due to
> server misconfiguration.
>
> However, Lasso does obscure any parameter named -Password within an
> error message to prevent this kind of inadvertant exposure.  I will file
> a feature request that we should also obscure -Seed and -Key.
>
> I would suggest storing your password up at the top of the page in a
> variable, or in an include file.  Then the error message will show
> -Seed=$mySeed or similar.  There are also methods of wrapping the
> encrypt tags in your own custom tag so the seed is actually defined at
> startup.
>
> On a public facing site you should dial the error reporting down to none
> or use a custom error page which does not show the syntax error to the
> site visitor.  Instead you can email the error message to yourself.  You
> can also use an IP check so you show yourself a full error message and
> show visitors a generic error message.
>
> <http://www.omnipilot.com/TotW.1768.9217.lasso>
>
> [fletcher]

Thanks Fletcher. I will be more careful in future ;-).

Roddie



============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Blowfish seed visible

shelane
In reply to this post by Fletcher Sandbeck
I use a variable seed like this:

Encrypt_blowfish: -seed=$myseed, (field: 'ID');

When I get an error it shows this:

Encrypt_blowfish: -seed='my seed variable value', (field: 'ID');

I would concur that it should be obscured in encrypt and decrypt.  (I like
the idea of all -key and -seed params being obscured.)

On 2/13/07 8:45 AM, "Fletcher Sandbeck" <[hidden email]> wrote:

> I would suggest storing your password up at the top of the page in a
> variable, or in an include file.  Then the error message will show
> -Seed=$mySeed or similar.  There are also methods of wrapping the
> encrypt tags in your own custom tag so the seed is actually defined at
> startup.


============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Blowfish seed visible

Adam Randall-2
On Tue, 13 Feb 2007 09:50:31 -0800, Shelane Enos wrote:

> I use a variable seed like this:
>
> Encrypt_blowfish: -seed=$myseed, (field: 'ID');
>
> When I get an error it shows this:
>
> Encrypt_blowfish: -seed='my seed variable value', (field: 'ID');
>
> I would concur that it should be obscured in encrypt and decrypt.  (I like
> the idea of all -key and -seed params being obscured.)

The alternate solution would be to set your error reporting to minimal or none:

[Lasso_ErrorReporting: 'minimal']
[Lasso_ErrorReporting: 'none']

As that won't show the details of the error, just the error itself.

Adam.

--
-----------------------------------------------------------------------
Adam Randall                                       http://www.xaren.net
[hidden email]                                   AIM/iChat:  blitz574

"Macintosh users are a special case. They care passionately about the
Mac OS and would rewire their own bodies to run on Mac OS X if such a
thing were possible." -- Peter H. Lewis

============================================
Attend the Lasso Summit
March 2-4, 2007 in Fort Lauderdale, FL
http://www.LassoSummit.com/
============================================

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage