SSL Encryption: Difference between revisions

From AniDB
Jump to navigation Jump to search
No edit summary
No edit summary
Line 7: Line 7:
  ROOT CA: http://static.anidb.net/misc/ca.crt
  ROOT CA: http://static.anidb.net/misc/ca.crt
  SHA1 Fingerprint=BE:BB:3D:9D:5D:77:FE:AB:77:89:F5:37:57:DB:82:AA:C3:3A:CF:CA
  SHA1 Fingerprint=BE:BB:3D:9D:5D:77:FE:AB:77:89:F5:37:57:DB:82:AA:C3:3A:CF:CA
{{Eyecatch|Please note:|
{{Eyecatch|Please note|


All requests for images, stylesheets and other page elements are NOT encrypted. Such requests should usually not be directed towards "anidb.net" but rather towards specific subdomains (i.e. "static.anidb.net" or "imgX.anidb.net"). Requests to subdomains do not include the anidb authentication cookies and should thus not allow attackers to hijack your anidb session.
All requests for images, stylesheets and other page elements are NOT encrypted. Such requests should usually not be directed towards "anidb.net" but rather towards specific subdomains (i.e. "static.anidb.net" or "imgX.anidb.net"). Requests to subdomains do not include the AniDB authentication cookies and should thus not allow attackers to hijack your AniDB session.


This means that:
This means that:
Line 15: Line 15:
a) If we've accidentially hardcoded an access to http://anidb.net somewhere, this would instantly allow an attacker to obtain your session authorisation cookie.
a) If we've accidentially hardcoded an access to http://anidb.net somewhere, this would instantly allow an attacker to obtain your session authorisation cookie.


b) Attackers may be able to infer the anidb pages you're browsing on and your anidb user id by looking at the cookie and referer data sent to anidb subdomains when stylesheet and image data is loaded. For maximum security you should browse anidb with all images and stylesheets disabled.
b) Attackers may be able to infer the AniDB pages you're browsing on and your AniDB user id by looking at the cookie and referrer data sent to AniDB subdomains when stylesheet and image data is loaded. For maximum security you should browse AniDB with all images and stylesheets disabled.
Or, the recommended approach, use some VPN.}}
Or, the recommended approach, use some VPN.}}
[[Category:Feature]]

Revision as of 18:50, 27 April 2009

Quote from exp on the anidb tracker (2008-04-17 23:43)

URL: https://anidb.net
*2008-06-03: new ssl certificates*

ROOT CA: http://static.anidb.net/misc/ca.crt
SHA1 Fingerprint=BE:BB:3D:9D:5D:77:FE:AB:77:89:F5:37:57:DB:82:AA:C3:3A:CF:CA
Please note All requests for images, stylesheets and other page elements are NOT encrypted. Such requests should usually not be directed towards "anidb.net" but rather towards specific subdomains (i.e. "static.anidb.net" or "imgX.anidb.net"). Requests to subdomains do not include the AniDB authentication cookies and should thus not allow attackers to hijack your AniDB session.

This means that:

a) If we've accidentially hardcoded an access to http://anidb.net somewhere, this would instantly allow an attacker to obtain your session authorisation cookie.

b) Attackers may be able to infer the AniDB pages you're browsing on and your AniDB user id by looking at the cookie and referrer data sent to AniDB subdomains when stylesheet and image data is loaded. For maximum security you should browse AniDB with all images and stylesheets disabled. Or, the recommended approach, use some VPN.