MTAS and other NHS websites
Ian G Batten
ukcrypto at chiark.greenend.org.uk
Sun, 6 May 2007 02:15:49 +0100
On 5 May 2007, at 13:41, PeteM wrote:
>
> In last night's Ch4 item, they said a doctor only had to change two
> digits of the URL that pointed to his own data, to get a valid URL
> for data referring to another doctor. (I think it was two.)
You can see how the conversation went, can't you? A developer
pointed out that checking credentials on every transaction will slow
things down, both in development and runtime terms. So they opted to
just check credentials at the outset, and then bury a tracking number
in the URL. That's bad: anyone who gets hold of the URL from a proxy
log or the footer of a printout is in free. But the conversation
never got on to the problem of the search space. If every number is
a valid number, they're screwed. Had they instead hashed them into
128 bit quantities, so that only a tiny fraction of possible numbers
were actually valid, they'd have got away with it.
[[ Ever stayed in a Formula 1 hotel? They use six-digit pins for
access to rooms. Why? Because it's also a pin for the front door,
and with 100 rooms it's only equivalent to four digits. ]]
ian