[SURBL-Discuss] tips how to make a safe redirector

Devin Carraway surbl-box at devin.com
Wed Mar 23 23:41:13 CET 2005


On Wed, Mar 23, 2005 at 11:30:57PM +0100, Alain wrote:
> After seen the various msg's about open redirect's, I did a search
> about "safe" http redirectors, but didn't find many resources.
> 
> While it's not that difficult to make a safe one with a manual
> whitelist, it's not in all scripts (.asp,.pl,php) easy to make a
> script that uses SURBL to block spammers.  Such a script would have
> the big advantage that it could be generic.  Are there available on
> the net?

An equally important strategy to making a safe redirector absent whitelisting
of partial or entire hostnames is to employ HMAC authentication.  Basically,
your redirector generator keeps a secret, you hash the secret with the URL and
give back an auth token, then send back both the tokena and the URL to the
real redirector.  The redirector re-computes and compares the auth token, and
redirects only if the token matches.  Basically, it's a simplified form of
only redirecting to signed URLs which requires only one secret.



-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2


More information about the Discuss mailing list