How to protect chat messages from man in the middle (PHP, JavaScript) -



How to protect chat messages from man in the middle (PHP, JavaScript) -

i'm working on chat scheme website. i'm no wondering how protect integrity of message. i'm doing via

chat.class.php class chat{ private $config; private $randomjsonrpc; private $mysql; function __construct($config = 'chat.config.json') { $this->config = $config; unset($config); if(file_exists($this->config)) { $config = json_decode(file_get_contents($this->config), false); $config->configfile = $this->config; $this->config = $config; unset($config); } else { $this->error('configtest'); } require_once 'jsonrpc.class.php'; $jsonrpc = new jsonrpcclient('https://api.random.org/json-rpc/1/invoke'); $this->randomjsonrpc = $jsonrpc; unset($jsonrpc); $this->mysql = $this->database(); } private function database() { if($this->config->salt == 'random') { $random = $this->random(8, 'string'); $this->config->salt = $random; $file = $this->config->configfile; unset($this->config->configfile); file_put_contents($file, json_encode($this->config)); } $mysql_function = $this->config->drivers->mysql; if($mysql_function == 'mysqli') { $connection = new mysqli($this->config->mysql->host, $this->config->mysql->user, $this->config->mysql->password, $this->config->mysql->database)or $this->error('mysql connection', mysqli_error()); homecoming $connection; } else { error('mysqli connection driver'); } } public function hash($input, $algo = 'blowfish') { if($algo == 'blowfish') { $hash_algo = '$2a'; $cost = '$10'; } elseif($algo == 'md5') { $hash_algo = '$1'; $cost = ''; } else { $this->error('algo availibility check', 'chat.class.php#class:chat->hash('.$input.', '.$algo.')'); } $salt = substr(sha1($this->config->salt),0,22); homecoming crypt($input, $hash_algo.$cost.'$'.$salt); } public function random($length, $address = 'string') { $jsonrpc = $this->randomjsonrpc; if($address == 'string') { $params = new stdclass; $params->apikey = $this->config->randomapikey; $params->n = 1; $params->length = $length; $params->characters = 'abcdefghijklmnopqrstuvwxyz1234567890'; $params->replacement = true; $data = $jsonrpc->generatestrings($params); homecoming $data->random->data[0]; } else { $this->error('json-rpc address test'); } } public function readnewmessages() { homecoming 'dev.testing'; } private function error($test, $extrainfo = false, $status = false) { if($status == false , $extrainfo == false) { die($test.': <span style="color: red;">failed</span><br />'.php_eol); } elseif($status != false , $extrainfo == false) { echo $test.': <span style="color: green;">ok</span><br />'.php_eol; } elseif($status == false , $extrainfo != false) { die($test.': <span style="color: red;">failed('.$extrainfo.')</span><br />'.php_eol); } elseif($status != false , $extrainfo != false) { echo $test.': <span style="color: green;">ok('.$extrainfo.')</span><br />'.php_eol; } } } ?>

chat.php should retrive new posts

<?php header('content-type: application/json'); include 'chat.class.php'; $chat = new chat(); if(session_id()) { session_close(); } $i = 1; $message = null; while(!$message) { sleep(1); $data = $chat->readnewmessages(); $i++; } $response = array('data' => $data, 'itnegrity' => //here wondered how save integrity. ); echo json_encode($message); ?>

i have 3 things, use.

md5 hashing message use ssl encrypt message via client generated password send encrypted users password server , message sended encrypted users password to.

the application still in development , not working. want utilize long polling retrive either message or heartbeat server.

option #1 not reply in itself, can hash, including attackers.

a mitm can alter code on client if ssl not used. maybe can exchange xml encoded messages (as in alternative #3) without ssl using message authentication codes, wonder gain on ssl; ssl very more efficient , known secure.

so in end - case - left ssl if client browser. alternative #2.

javascript php encryption chat data-integrity

Comments

Post a Comment

Popular posts from this blog

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* -

xslt - DocBook 5 to PDF transform failing with error: "fo:flow" is missing child elements. Required content model: marker* - i've inherited doc publishing process takes docbook , builds html , pdf output, using apache fop both. project had been started, never completed. lots of tweaking, i've able of doc sets build (20+), except handful, , fail severe code 1 of these 2 conditions: "fo:flow" missing kid elements. required content model: marker* "fo:block" not valid kid of "fo:root" the xml output comes out of docbook , docbook-fop checks out well-formed. the fop error in 1 book, "endecagloss", example, points end of string: <fo:flow flow-name="xsl-region-body" start-indent="4pc" end-indent="0pt"/> here’s log output in case: [java] severe: javax.xml.transform.transformerexception: file:/scratch/publishing/hudson/jobs/build-main-endeca-documentation/workspace/serverdoc/w...
Read more

mediawiki - How do I insert tables inside infoboxes on Wikia pages? -

mediawiki - How do I insert tables inside infoboxes on Wikia pages? - i want insert tables in infoboxes. example, have proteinbox i've developed using infobox template (http://health-and-medicine.wikia.com/wiki/template:proteinbox), , fasta field big fit comfortably in proteinbox. hence collapsible table within box. this tried: {{infobox | row 1 = {| class = "mw-collapsible mw-collapsed wikitable" |- | <!-- table content --> |} }} your problem is, putting nested table within template. pipe characters ( | ) in table syntax collides pipe usage in templates. the commonly used hack around create template called template:! , containing pipe character, , utilize when need set tables, parser functions or other stuff using pipe characters, within templates. table (with every | replaced {{!}} ): {{{!}} {{!}}- {{!}} a1 {{!}} b1 {{!}}- {{!}} a2 {{!}} b2 {{!}}} ...the equivalent of {| |- | a1 | b1 |- | a2 | b2 |} furthermore, hav...
Read more

Local Service User Logged into Windows -

Local Service User Logged into Windows - i created windows service tracks app server user connected through load balancer. it retrieves user logged windows on machine, cross references active directory (ad) business relationship homecoming first name, lastly name , e-mail (for notification through website created project) there 1 scheme on network users remote system, vista system, reason returning values "local service" logged machine, it's weird , security guys impossible "local service" business relationship logged windows. here how user logged windows managementscope ms = new managementscope("\\\\.\\root\\cimv2"); objectquery query = new objectquery("select * win32_computersystem"); managementobjectsearcher searcher = new managementobjectsearcher(ms, query); foreach (managementobject mo in searcher.get()) { _username = mo["username"].tostring(); } // remove domain part username string[] usernameparts = _...
Read more