• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Liutauras Vilda
  • Henry Wong
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Al Hobbs
  • Carey Brown
Bartenders:
  • Piet Souris
  • Mikalai Zaikin
  • Himai Minh

User Self Registration Security

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Question:

Does someone know how one would secure a self-registration emai so that
no one but the email recipient could use the confirmation link. Assume
a scenario such as:

1 A User registers at a site and enters their email.
2 The website creates an account for the user and sends them a
confirmation email with an https link back to the website to confirm
the registration.
3 The user recieves the email, clicks on the link and the user is taken
to a web page where they finish registration.

How is the email link secured so that someone else cannot intercept the
email and register under the user's account an essentially steal there
identity.
 
Rancher
Posts: 4686
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
are you asking how an email sent to a generic address can be sent securely?
And guarantee that no man-in-the-middle can intercept it and steal the account?

I'm pretty sure you can't do this with email. or at least with unencrypted email.

Its trivial if the users use PEM or PGP or GPG. Sadly, nobody uses them, and setting them up is not trivial. Sending secure email is why PEM and PGP were invented last century.
 
Rancher
Posts: 43028
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
To make use of the account you'd still need to enter the password, right? Clicking the confirmation link just enables the account - it doesn't let the person do anything with it. So even if the email got intercepted, the attacker would also have had to intercept the original HTTPS traffic to know the password. That seems an unlikely scenario.
 
Ranch Hand
Posts: 1282
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Roger Ball:
(..snip..)How is the email link secured so that someone else cannot intercept the email and register under the user's account an essentially steal ( an ) identity.



There is no such thing as secure email, anyone may read your email at any time with no protection by statute. See docs on PGP for a discussion of the mattter. The ONLY way to protect such is by full-house cryptographics.

In actuality there is no substantial diff between hypertext transfer and electronic mail transfer except that email is by design a store and forward system where http is a stateless browser. ( spare me, pro's - I am trying to simplifiy for clarity ) Going to email to verifiy https is tantamount to asking a stranger on the street to meet you later this evening with the keys to your house. One may not have a lot of pricey stuff in the front room, but that won't matter when you get home.....(duh)
reply
    Bookmark Topic Watch Topic
  • New Topic