Hi
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
Could be a nice idea to add some links to those resources from the "letter to redirectors sites" page.
Alain
On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
An equally important strategy to making a safe redirector absent whitelisting of partial or entire hostnames is to employ HMAC authentication. Basically, your redirector generator keeps a secret, you hash the secret with the URL and give back an auth token, then send back both the tokena and the URL to the real redirector. The redirector re-computes and compares the auth token, and redirects only if the token matches. Basically, it's a simplified form of only redirecting to signed URLs which requires only one secret.
On Wed, 23 Mar 2005 14:41:13 -0800, Devin Carraway surbl-box@devin.com wrote:
On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
If you wrote the redirecting web so it uses JavaScript to do the redirect, instead of <a href...>, that would be safer, because most mail clients don't allow JavaScript execution in a message.
Chris - webupdate->gmail.com
Example:
<a href="javascript:document.location.href='http://www.domain.com/page.html';">Click here</a> This will work in a browser but fail in an e-mail message.
Chris
Works fine in Lotus Notes 6.5.
John Delisle, CISA Senior Network Analyst, Network and Security Team Information Systems & Technology Management Dept. Ceridian Canada Ltd 600 - 125 Garry St Winnipeg, MB R3C 3P2 204-975-5909
Chris Velazquez webupdate@gmail.com Sent by: discuss-bounces@lists.surbl.org 03/23/2005 08:24 PM Please respond to Chris Velazquez webupdate@gmail.com; Please respond to SURBL Discussion list discuss@lists.surbl.org
To SURBL Discussion list discuss@lists.surbl.org cc
Subject Re: [SURBL-Discuss] tips how to make a safe redirector
Example:
<a href=" javascript:document.location.href='http://www.domain.com/page.html' ;">Click here</a> This will work in a browser but fail in an e-mail message.
Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi
Thanks that seems to me a reasonable simple alternative for using surbl, however using surbl would be automatic...
Alain
On 3/24/05, Devin Carraway surbl-box-at-devin.com |surbl list| <...> wrote:
On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
After seen the various msg's about open redirect's, I did a search about "safe" http redirectors, but didn't find many resources.
While it's not that difficult to make a safe one with a manual whitelist, it's not in all scripts (.asp,.pl,php) easy to make a script that uses SURBL to block spammers. Such a script would have the big advantage that it could be generic. Are there available on the net?
An equally important strategy to making a safe redirector absent whitelisting of partial or entire hostnames is to employ HMAC authentication. Basically, your redirector generator keeps a secret, you hash the secret with the URL and give back an auth token, then send back both the tokena and the URL to the real redirector. The redirector re-computes and compares the auth token, and redirects only if the token matches. Basically, it's a simplified form of only redirecting to signed URLs which requires only one secret.
-- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2 _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
-
Alain -
Chris Velazquez -
Devin Carraway -
John_Delisle@ceridian.ca