Archis Gore
Top achievements
Rank 1
Rank 1
Archis Gore
asked on 01 Apr 2010, 09:54 AM
I noticed an interesting phenomenon. When the page is rendered, and if I copy the chart image PNG URL to another browser on another machine, it works for a few minutes. My pages are being served over HTTPS so there is little risk someone can directly copy the URL.
I wanted to know if there is any chance this URL is guessable by third-parties, and what privacy risks there may be. I could be serving up potentially personal information in a chart and wanted to ensure there is no risk to user's data.
I wanted to know if there is any chance this URL is guessable by third-parties, and what privacy risks there may be. I could be serving up potentially personal information in a chart and wanted to ensure there is no risk to user's data.
5 Answers, 1 is accepted
0
Hello Archis Gore,
There is a unique GUID generated for each chart image. This GUID is updated during each control lifecycle (render stage). Once it is viewed it is stored in the Cache object for 5 minutes. When the cache expires it is lost forever. So unless the attacker can somehow guess the GUID generated for the image there is little chance to read the image.
Best wishes,
Vladimir Milev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
There is a unique GUID generated for each chart image. This GUID is updated during each control lifecycle (render stage). Once it is viewed it is stored in the Cache object for 5 minutes. When the cache expires it is lost forever. So unless the attacker can somehow guess the GUID generated for the image there is little chance to read the image.
Best wishes,
Vladimir Milev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Federico Raggi
Top achievements
Rank 1
Rank 1
answered on 05 Apr 2010, 07:27 PM
Is there aconfiguration option to alter this behavior so, for example, the image timeouts after 1 minute instead of 5?
0
Hi Federico Raggi,
Unfortunately there is no API in place to control this setting. However, as customer you should have access to the source code and you can change the following line in the ProcessRequest method of the ChartHttpHandler class:
We sincerely apologize for the inconvenience caused.
All the best,
Vladimir Milev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
Unfortunately there is no API in place to control this setting. However, as customer you should have access to the source code and you can change the following line in the ProcessRequest method of the ChartHttpHandler class:
context.Cache.Add(name, stream, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5.0), CacheItemPriority.Normal, null);We sincerely apologize for the inconvenience caused.
All the best,
Vladimir Milev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Chris W. Rea
Top achievements
Rank 1
Rank 1
answered on 21 May 2010, 08:47 PM
Interesting note about the GUIDs. But, does RadChart simply use built-in .NET methods to generate those GUIDs? If so there may be a theoretical weakness due to the way GUIDs are generated. Refer to Wikipedia at http://en.wikipedia.org/wiki/Guid#Algorithm :
"V4 GUIDs use the later algorithm, which is a pseudo-random number. These have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}. More specifically, the 'data3' bit pattern would be 0001xxxxxxxxxxxx in the first case, and 0100xxxxxxxxxxxx in the second. Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random; given full knowledge of the internal state, it is possible to predict previous and subsequent values."
GUIDs were designed to guarantee uniqueness, not un-guessability. A much better approach would be to use a secure random number generator such as that provided by .NET's System.Security.Cryptography.RandomNumberGenerator ... the values generated by such an RNG ought to be less deterministic than GUIDs.
0
Hi Chris,
Thank you for pointing this. I would not doubt System.Security.Cryptography.RandomNumberGenerator is more secure, but I just want to draw your attention to this part: "...since the sequence of V4 GUIDs is pseudo-random; given full knowledge of the internal state, it is possible..." While I am not really sure what "full knowledge" means in this case, I believe any attacker would have hard time retrieving it, given that they would only be able to collect a number of GUID's which are not guaranteed to be consecutive ones, and that makes RadChart secure enough. Nevertheless, I will make sure our developers are aware of your feedback.
Best regards,
Ves
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
Thank you for pointing this. I would not doubt System.Security.Cryptography.RandomNumberGenerator is more secure, but I just want to draw your attention to this part: "...since the sequence of V4 GUIDs is pseudo-random; given full knowledge of the internal state, it is possible..." While I am not really sure what "full knowledge" means in this case, I believe any attacker would have hard time retrieving it, given that they would only be able to collect a number of GUID's which are not guaranteed to be consecutive ones, and that makes RadChart secure enough. Nevertheless, I will make sure our developers are aware of your feedback.
Best regards,
Ves
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.