[SURBL-Discuss] tips how to make a safe redirector
Devin Carraway
surbl-box at devin.com
Wed Mar 23 23:41:13 CET 2005
On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
> After seen the various msg's about open redirect's, I did a search
> about "safe" http redirectors, but didn't find many resources.
>
> While it's not that difficult to make a safe one with a manual
> whitelist, it's not in all scripts (.asp,.pl,php) easy to make a
> script that uses SURBL to block spammers. Such a script would have
> the big advantage that it could be generic. Are there available on
> the net?
An equally important strategy to making a safe redirector absent whitelisting
of partial or entire hostnames is to employ HMAC authentication. Basically,
your redirector generator keeps a secret, you hash the secret with the URL and
give back an auth token, then send back both the tokena and the URL to the
real redirector. The redirector re-computes and compares the auth token, and
redirects only if the token matches. Basically, it's a simplified form of
only redirecting to signed URLs which requires only one secret.
--
Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
More information about the Discuss
mailing list