"But since then, it's got a bit more complicated" -Tom Scott, 2013, describing the internet and the history of the universe in one sentence.

I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.

As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.

The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!

I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites. Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations. Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.

Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.

These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.

It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation. Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light

Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.

I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!

Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.

Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!

I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.

Great and informative video as always. Loving the amount of Tom on this channel.

Ohhhhhh, so that's what the nonce thing is. Thanks Tom!

you request the token with your script and later in the script you use that token easy if the form is standardized-like deleting enemy facebook pages

This is great! :D I love the way Tom explains advanced terms in really simple ideas

This mini series on security is just wonderfull. Love the content, love the voice, it's just great.

Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.

Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.

Will Tom be a regular? His bits are great.

I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?

Another great video guys, looking forward to more cool explanations. Keep up the awesome work!

I love this guy.

Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?

been waiting for this video

Interesting as always!

This guy's videos are brilliant! Web security and hacking is so interesting. :)

Hmm at 3:22 you can quite clearly see "my awesome blog" before tom has drawn it. oops

Thanks for the video. This is really useful.

More from this guy!

There are my favorite *philes.

This guy is awesome

bit skeptical about the advice because i see a lot of php developers trow in a non-cryptographically secure random number and hoping it will work, and the reality is well it takes more time it can still be done as most of the random number generators within php are not random ( they are predictable )

Actually even with Token, we can get it simply when the user enter the site, we go Threw our code to the page and get the token that is now :) Or even better: On clicking -> GO get Token -> submit the permanent link =)

There are headers to block XSR if I'm not mistaken

Where IS the brown paper?

Is this something I can see in context, like in the html of this web page? Where would it be in the code? I don't quite understand it yet.

Telling people about how clicking anywhere on the internet could potentially cause mayhem, on a youtube video xD After watching this I wonder how many people thought deeply about posting a comment :L

Very helpful, thank you.

Wonder if the games I play use it in their deletion form? _goes off to make a post in the staff forum to bring it to their attention just in case_

What happens if we make a call to the page that generates the form and take the token from there?

More awesome blogs

Interesting. This explains an awful lot of the things yer typical online banking service does and the hoops it makes you jump through to just to get access, let alone authorise any kind of activity...

Hummm... are those bars on the back window?

Man I do not know how I got this career but this is where I am so I have to learn this shit. Don’t get me wrong it’s really interesting it’s just really hard for me to learn this stuff.

would modern browsers' tab sandboxing prevent that sort of thing?

Tom, I'm never going to your blog, that's for sure now.

"My hand has lower ambitions than my brain does" Yeaaah I know the feel...

After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!

where's the brown paper?

This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.

Please, don't ever stop making these.

These Tom Scott videos are so addictive, I can't stop watching! xD

Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.

Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place

So...what the hell does nonce mean in Britain?

Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.

You'd be surprised how many web devs don't know about this in 2023

This guy is an excellent presenter. Please, more of him.

I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?

Why does the camera randomly zoom in some times? it's really distracting.

Damn. Your /delete?confirm=true statement was a 100% hit. Gotta rename my parameters ;D

Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.

but what if the malicious webpage itself loads the bank site in the background, it can get the token that way.

Wow surprised to see no comments when I finished watching this. But of course there are 61 comments when I refresh the page :)

Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well. Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.

The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.

Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!

Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!

This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)

Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.

Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible

this still goes under the radar 10y later btw

I don't understand this and must be missing something. What's to stop the malicious site from sending a GET request for the form and then (via javascript) sending the POST request with the token afterwards? If the answer is that the GET request is secured by the encrypted session ID for the user, then why does that encrypted session ID not secure the POST request also?

And here's the third one... Tom great as always. By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).

Of course, any real page doing this wouldn't try one bank; it'd try 20.

If you like this guy (of course you do), check out his channel ***** he has some great videos on linguistics.

This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)

Tom, You are the best. Keep making those excellent videos.

It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.

Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one. I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking Greetings from Germany

So, the money being transferred to the hacker's account, where is it coming from? If I posted a comment on the malicious blog, the money wouldn't be coming from my account. The fine details don't really make sense here. Would this attack effect me at all?

I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.

Ooooh, maybe that's how people can hack or change your status on Facebook. Except for the times where it's someone physically doing it because the person was an idiot and left themselves logged into Facebook on their friend's computer.

Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?

Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !

I just learned about nonces yesterday and implemented one ;)

I'll simply stay away from awesome-blog, problems solved.

What was the name of that one-time-key and why do the British have a different name for it?

I've just watched the video, it was really helpful on my course! Thanks! 🙂

use Rails for Out of the box, auto-configured CSRF protection. That's ruby.

As well as using a sex offender, if you are doing anything remotely serious such as a money transfer or deleting an account, it doesn't hurt to either ask the user to confirm their password or send a confirmation email with a 1 time token

I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!

How is a random user supposed to know if a site they are using is using this token during requests?

"A bit more complicated". My new catch phrase. :)

during the whole vid I had to think of the cookie monster ^^

i feel tom should put a thing on his blog that makes your accounts user image change to a silly thing, possibly supporting internet security.

What if the malicious site makes a request to the bank's website through an invisible ? Wouldn't the contain the token? And you could then read the token and make your POST request.