ThreadBoard ArchivesSite FeaturesActiveworlds SupportHistoric Archives |
Is It Posible (General Discussion)
Is It Posible // General Discussionzippy kApr 2, 2002, 9:45pm
After the latest Games that World Owners had to go through with the object
path, I was wondering if any one knows if an .htaccsess file can be used for directory security on the web server? any feed back would be welcome ZippyK __________________________________________________________________ silencedApr 2, 2002, 10:18pm
jermeApr 3, 2002, 12:12am
A while back I wrote a post about this....
..htaccess files use a part of the HTTP protocol to issue a username/password challenge. Your browser (e.x. Internet Explores, Netscape) knows how to accept this challenge (and display the appropriate dialogue asking for the info), and how to reply with the correct information. The server looks at the browser's reply, and decides (by comparing the info you gave to the encrypted version that is stored on the server) to grant or deny access to the requested file. The AW browser does not know how to do either of these, and therefore would fail to access a directory which is protected with a .htaccess file... I'm not sure what andras is working on (see previous post by "silenced"), however I'm very curious. Roland may also have something up his sleeve to solve this problem. What we need is some way for a server to identify the AW browser, so it can distinguish between IE and AW. You could set your server (with URL rewrite rules, or with cgi/php scripts) to deny access through IE. The obvious way to do this would be to use the HTTP_USER_AGENT environment variable. (This tells the server the name and version of your browser. e.x. Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Q312461)) The only problem with this: It would be extremely easy to forge this information.. Once you knew what the HTTP_USER_AGENT variable held when an AW browser requests and object, you can make any other program (including a custom compiled version of IE) identify its self with the proper string. This could be the simplest solution, fastest solution... However, read the next thread i'm starting for a better solution... -J JerMe (#296967) -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jeremy Booker JTech Web Systems (www.JTechWebSystems.com -- Coming Soon) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [View Quote] dionApr 3, 2002, 12:17am
Also, browsers that do not accept htaccess information would get by just
fine. Or maybe even a modified IE or something. I think the best way to keep your stuff safe is to zip everything with a password. I don't know if textures can be zipped, but it they can, they should be and passworded as well. [View Quote] zippy kApr 3, 2002, 12:42am
I was one of the worlds that had the password hacked my files were zipped
and passworded [View Quote] dionApr 3, 2002, 12:48am
htaccess would not have helped that. Those passwords were taken using a
special browser. That browser cannot be used anymore. It was stopped about 2months ago. [View Quote] jermeApr 3, 2002, 12:48am
(1. I've never tried to access a .htaccess protected directory from a
non-.htacess enabled browser... However, I doubt they'd breeze by. I think the server would automaitly give them a 401 - access denied (2. As we've seen by the list of cracked path's zip password protection is not enough. It is way to easy to crack a zip file. Takes only several hours in some cases. http://google.yahoo.com/bin/query?p=%2b%22winzip%22+%2b%22password%22&hc=0&h s=0 (3. Textures cannot be zipped... The browser only knows how to unzip avatars and models. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jeremy Booker JTech Web Systems (www.JTechWebSystems.com -- Coming Soon) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [View Quote] dionApr 3, 2002, 12:51am
1) Could be, was just guessing.
2) If you use a good password (20+ characters) using random letters and numbers, the password would take years to crack with just one computer. Of course, if there were 1,000 computers working on it, it might be done in a month or two ;-) Too many combinations with 20 characters for any amount of comptuers to do it in a couple of hours. Do not use real words. There are special dictionaries made for brute force zip crackers to use. 3) Then it should be suggested. ;-) [View Quote] ananasApr 3, 2002, 4:50am
..htaccess can do way more than just password protect stuff,
you can use it to forward from a directory access to a script for example, and the script can take the models from outside of the area, that is open for HTTP access. If you have this script check the HTTP_USER_AGENT for the content "ActiveWorlds browser" and then pass through the files, you get at least a little more security. [View Quote] robbieApr 3, 2002, 10:23am
Until someone whips up a program that downloads objects and gives the
USER_AGENT as Active Worlds browser. Although I doubt of the few that even could do that, even fewer actually would. I'm also interested in what Andras is working on. The browser that was used is dead now, and I doubt anyone intends on creating another. Especially since 3.3 will be a whole new ball game. -Robbie [View Quote] dionApr 3, 2002, 3:44pm
I don't get it... you don't think people should password the AW objects? Or
you don't think they should have them? *confused* [View Quote] sweApr 3, 2002, 4:22pm
op without any aw objects? mine :D dont use it for a world though..
ooww wait, Blogs op, have like 15 objects, all whicgh he made [View Quote] baronApr 3, 2002, 4:23pm
What Andras is saying is that when you password protect a zip file and the attacker has both the password protected zip and the unzipped contained file (available from AW support web in this case) cracking the 96bit zip encryption is a matter of minutes dispite of the password length as Eli Biham and Paul Kocher have demonstrated almost 10 years ago. World owners should password protect *only* the objects they want to protect, not more nor less. Btw Cutezip with Twofish128bit is a lot more secure but of course incompatible with AW, since this is general discussion maybe someone is interested in using it for other uses. http://cutezip.com/products/cutezip/index.shtml
-Baron [View Quote] sweApr 3, 2002, 4:24pm
i think he means that it doesnt matter how long the password is, cuz it can
will still get cracked if it ends up in the hands of someone who is able [View Quote] dionApr 3, 2002, 4:46pm
ohhh I see. The winzip encryption is based on what's inside the zip file.
Hmm... Damn, that's bad. I didn't even know that. [View Quote] ananasApr 4, 2002, 4:25am
Some password cracking programs that do not work "brute force"
or based on wordlists, can crack a password WAY faster, if they have the passworded ZIP file and the same file in a not zipped version. What Andras means is : This problem can be avoided by protecting only those files, that need to be protected. It does not make sense - and makes cracking faster - to protect files that are available to anyone for free. [View Quote] ananasApr 4, 2002, 4:29am
sorry, I replied in "Worldbuilders" and didn't see that
it was already explained here :-/ kahApr 5, 2002, 12:05pm
you need a HTTP proxy that will let you manipulate stuff... probably a few
out there KAH [View Quote] ananasApr 5, 2002, 3:04pm
yep :) I use one of them - but for a different reason.
I think web pages should work independant from the browser, so I told the proxy to identify the NetScape I'm using as an AW browser too *g [View Quote] jermeApr 6, 2002, 6:35pm
Here's how this works.. It's called a "clear text exploit". If I have a
plain zip file.. let's say pp01.zip (that's not password protected) and a encrypted pp01.zip (the file was added with a password) then I can decrypt the pp01.zip in about 30 seconds, no matter the password length. When you password protect your zip files, the password becomes a key (just a long string of numbers and letters) used to encrypt the file after it is zipped. The same "key" must be used to decypt the file. When you decrypt the archive, you enter your password, which the program changes into the "key" (one password always generates the same key), and then uses that key to interpret the file. The "clear text exploit" no only yeids the file that was encrypted (which you already knew anyway), it also unviels the "key" that was used to encrypt it. Once the key is discovered any file can be decrypted.... So, let's say I downloaded a fresh version of pp01.zip from AW's object path. Then (after discoving the URL for you OP) I download the password protected version of pp01.zip from your site. I run the clear text attack useing these two files. I learn what the key is, and can use that key to find your password and decrypt the rest of your objects. Lesson to be learned: Don't encrypt objects that don't need it. Only encrypt your coustom objects, the one's that no one else will have an unencypted version of. (Exactly what andras said earlier..) -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jeremy Booker JTech Web Systems (www.JTechWebSystems.com -- Coming Soon) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [View Quote] filmkrApr 6, 2002, 9:59pm
Hello,
I know that both you and Andras meant to be helpful but... Your description here only teaches new kiddies how to take things they shouldn't be taking... You ignored one of the reasons that a path might Password ALL their objects... that is unauthorized path use... Some users might be happy just to use the common objects on a high speed server... thus draining resources from the legit user... Bandwidth on commercial services costs money and webmasters who provide deluxe services deserve to protect the resources of their paying customers. I agree that the issue mentioned does present an item for webmasters to review but placing the information on how to crack the password in 30 seconds is not acting responsibly. That just opened the doors for people to now try and steal more than before... see my point? I know your intentions meant well. [View Quote] > Here's how this works.. It's called a "clear text exploit". If I have a > plain zip file.. let's say pp01.zip (that's not password protected) and a > encrypted pp01.zip (the file was added with a password) then I can decrypt > the pp01.zip in about 30 seconds, no matter the password length. > > When you password protect your zip files, the password becomes a key (just a > long string of numbers and letters) used to encrypt the file after it is > zipped. The same "key" must be used to decypt the file. When you decrypt > the archive, you enter your password, which the program changes into the > "key" (one password always generates the same key), and then uses that key > to interpret the file. > > The "clear text exploit" no only yeids the file that was encrypted (which > you already knew anyway), it also unviels the "key" that was used to encrypt > it. Once the key is discovered any file can be decrypted.... > > So, let's say I downloaded a fresh version of pp01.zip from AW's object > path. Then (after discoving the URL for you OP) I download the password > protected version of pp01.zip from your site. I run the clear text attack > useing these two files. I learn what the key is, and can use that key to > find your password and decrypt the rest of your objects. > > Lesson to be learned: Don't encrypt objects that don't need it. Only > encrypt your coustom objects, the one's that no one else will have an > unencypted version of. (Exactly what andras said earlier..) > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Jeremy Booker > JTech Web Systems > (www.JTechWebSystems.com -- Coming Soon) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [View Quote] zeo toxionApr 6, 2002, 10:13pm
Uh, thanks for telling everyone how to crack OPs.....? God what are you
on... hehe -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- A message from Zeo Toxion -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- [View Quote] dionApr 6, 2002, 10:25pm
echomencerApr 6, 2002, 11:31pm
Normally I don't bother to post but every once in a while someone says
something that gets my back up. I take from filmkr (AKA Insanity) telling everyone off like kids that perhaps he had not thought about the implications of passwording public objects in your object path rather than leaving them unpassworded as they were already on non passworded public access paths. Thus making his and others custom objects vunerable to being taken when simple logic could have prevented it in the first place. Perhaps some would say that taking public objects and passwording them is the same as taking other peoples property and then denying them access to it. Not to mention the fact that he has also pointed out by his own distain of this subject being aired that his own object paths are not as fully secure as they could be. Perhaps if people spent their energy's correcting this problem rather than posting here about how stupid others are the world would be a safer place and noone would be any the wiser to who is secure and who is not. All that most people here are trying to do is help others in the community from the minority and share there knowledge on how to make a more secure environment. Some times to do this you have to explain the reasoning behind something in order for people to understand why to do it or what could happen if they don't. Now I will shut up and go back to sleep ;) [View Quote] agent1Apr 6, 2002, 11:32pm
Don't kid yourself. Anyone who wants to steal objects either already knows
this or could find out very easily. It's the "honest" people that likely don't know about it. By making the information public, the "playing field" is even. Security through obscurity is not really security at all :) -Agent1 [View Quote] filmkrApr 6, 2002, 11:38pm
Posting the reason it might be avoided is one thing... posting HOW TO is not
acting responsibly as it offers the way to be a thief... Not every one is a hacker... but there are many that will try a new thing simply because it was put in front of them... SIMPLY, there was no need to discuss the how to... only the fact it could present another problem... [View Quote] > Don't kid yourself. Anyone who wants to steal objects either already knows > this or could find out very easily. It's the "honest" people that likely > don't know about it. By making the information public, the "playing field" > is even. > > Security through obscurity is not really security at all :) > > -Agent1 > [View Quote] filmkrApr 6, 2002, 11:45pm
Think you do need some sleep... yes some of the objects are PUBLIC... but the
server they reside on is not, nor is it's bandwidth FREE. Perhaps if you read the full post while awake you would have understood better.. AW gives many of the objects... so do I if asked... but the services would be drained if every one climbed on a path simply because they could, therefore hurting the honest user who appreciates paying for quality services. We do not charge users to use the free objects... we simple collect a small fee to cover the bandwidth, equipment and the support services. Our users love us and they send their friends and anyone they meet because of that fact. Our custom made objects are added there for our customer's added enjoyment. There is plenty out there for free... stealing is NEVER right. Filmkr & InSaNiTy http://worldhosting.heartfall.com [View Quote] > Normally I don't bother to post but every once in a while someone says > something that gets my back up. > > I take from filmkr (AKA Insanity) telling everyone off like kids that > perhaps he had not thought about the implications of passwording public > objects in your object path rather than leaving them unpassworded as they > were already on non passworded public access paths. Thus making his and > others custom objects vunerable to being taken when simple logic could have > prevented it in the first place. > > Perhaps some would say that taking public objects and passwording them is > the same as taking other peoples property and then denying them access to > it. Not to mention the fact that he has also pointed out by his own distain > of this subject being aired that his own object paths are not as fully > secure as they could be. Perhaps if people spent their energy's correcting > this problem rather than posting here about how stupid others are the world > would be a safer place and noone would be any the wiser to who is secure and > who is not. > > All that most people here are trying to do is help others in the community > from the minority and share there knowledge on how to make a more secure > environment. Some times to do this you have to explain the reasoning behind > something in order for people to understand why to do it or what could > happen if they don't. > > Now I will shut up and go back to sleep ;) > [View Quote] echomencerApr 7, 2002, 9:11am
Did I touch a nerve?
Your second condescending post only adds fuel to my point not to mention your lack of understanding of security which as you are providing hosting on a commercial basis is very poor in my opinion. I fail to see the problem with not having public objects passworded unless you have copied the entire aw object path to you private object path. If you have done this then who is really the one exploiting others :) This point aside I just love the way you haven't bothered to change the object names. If you had prefixed the file names then zipped them you could have passworded them without making security on your other objects an issue as the signature flies would not match if compared. Again simple logic not applied , perhaps you are the one that needs sleep not me ;) I just hope that you don't talk to your clients the way you do to people in here after all we could be potential clients. I just hope technology provides your clients with a more professional service than your attitude does ;) Sleeps once again ZZZZZZZZzzzzzzzzzZZZZZZZZzzz.... [View Quote] jermeApr 8, 2002, 12:04am
Insanity, I'm sorry... All due respect, but your point is irrelevant.
Anyone can find out the information I just gave out. It doesn't take any special knowledge to crack a winzip password, other than how to do a search on yahoo. Try this search: http://google.yahoo.com/bin/query?p=%2b%22winzip%22+%2b%22password%22&hc=0&h s=0 The search string was +"winzip" +"password"... Read the first 10 or so items that come up, and you'll know more about cracking a winzip password than you ever wanted to know. This info isn't any kind of closely guarded secret or anything... I didn't tell them anything they couldn't have read on their own... Chill out, it will all be -O-K- :-) At the moment, there's nothing we webmaster/world owners can do about it anyways. Why worry about it? -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jeremy Booker JTech Web Systems (www.JTechWebSystems.com -- Coming Soon) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [View Quote] a decrypt (just a decrypt key (which encrypt attack objects? letters done There who look from > |
