my dog learned polymorphism
The moose likes Security and the fly likes User Self Registration Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "User Self Registration Security" Watch "User Self Registration Security" New topic

User Self Registration Security

Roger Ball

Joined: Jul 08, 2003
Posts: 6

Does someone know how one would secure a self-registration emai so that
no one but the email recipient could use the confirmation link. Assume
a scenario such as:

1 A User registers at a site and enters their email.
2 The website creates an account for the user and sends them a
confirmation email with an https link back to the website to confirm
the registration.
3 The user recieves the email, clicks on the link and the user is taken
to a web page where they finish registration.

How is the email link secured so that someone else cannot intercept the
email and register under the user's account an essentially steal there
Pat Farrell

Joined: Aug 11, 2007
Posts: 4659

are you asking how an email sent to a generic address can be sent securely?
And guarantee that no man-in-the-middle can intercept it and steal the account?

I'm pretty sure you can't do this with email. or at least with unencrypted email.

Its trivial if the users use PEM or PGP or GPG. Sadly, nobody uses them, and setting them up is not trivial. Sending secure email is why PEM and PGP were invented last century.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
To make use of the account you'd still need to enter the password, right? Clicking the confirmation link just enables the account - it doesn't let the person do anything with it. So even if the email got intercepted, the attacker would also have had to intercept the original HTTPS traffic to know the password. That seems an unlikely scenario.
Nicholas Jordan
Ranch Hand

Joined: Sep 17, 2006
Posts: 1282
Originally posted by Roger Ball:
(..snip..)How is the email link secured so that someone else cannot intercept the email and register under the user's account an essentially steal ( an ) identity.

There is no such thing as secure email, anyone may read your email at any time with no protection by statute. See docs on PGP for a discussion of the mattter. The ONLY way to protect such is by full-house cryptographics.

In actuality there is no substantial diff between hypertext transfer and electronic mail transfer except that email is by design a store and forward system where http is a stateless browser. ( spare me, pro's - I am trying to simplifiy for clarity ) Going to email to verifiy https is tantamount to asking a stranger on the street to meet you later this evening with the keys to your house. One may not have a lot of pricey stuff in the front room, but that won't matter when you get home.....(duh)

"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
I agree. Here's the link:
subject: User Self Registration Security
It's not a secret anymore!