Quote:
Originally posted by Big E
Wow.. welcome to two years ago. Zspoof has been around at LEAST that long.
|
And most plug-in content providers STILL base their security on referring urls.
Holio is only plug-in content provider that I'm aware of that uses reasonably secure token based system. Last time I checked you had to ask them to use it, otherwise they too were referring url based.
Just this week Homegrown send an email asking their customers to change their link codes to a new system. Now they use sessions to verify the surfer came from the right site. However, they still set those sessions based on the refering url.
What I don't get is that it is so pathetically easy to create a simple token based system but practically nobody wants to do it. All it requires is: the ability to run scripts, an accurate server time, access to a hashing function (such as md5), and a shared "secret". Its easy as pie and in half a day you could write up the necessary scripts (perl, php, asp, etc.) for unix or windows servers.