Re: Referer (was Patches for wwwboard.pl)

From: Kevin Littlejohn (dariusat_private)
Date: Tue Oct 13 1998 - 20:02:48 PDT

Next message: Jarle Aase: "Re: A wee caveat - the freeware WAR-ftp server (most versions)"

Previous message: Frank Cusack: "Re: Annoying Solaris/CDE/NIS+ bug"
Maybe in reply to: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>> Lincoln Stein wrote
> The original article did suggest incorporating the IP address and a
> timestamp in the hash function.  The main point of the article was
> that using just the Referer field for security was a very bad idea.
>
> I sure hope this thread will be killed soon!

Um - sorry ;)

One comment I wanted to make re: web security - if you're relying on
the IP number of the machine requesting the file for any sort of security,
then you'll break your web site for anyone using multiple proxies.  In .au,
this is especially a problem, as we have some fairly large hierarchies
of proxy servers - for a lot of our users, a single web 'session' can
generate requests from multiple different boxes, as different proxies
react faster for each request.

Sorry to extend the thread, but people trying to tie web security down
to originator IP number is a pet hate of mine ;/

KevinL
>
> Lincoln
>
> David Schwartz writes:
>  >
>  >      You should also be including a timestamp and an originator IP in the
hash
>  > function. Otherwise you are vulnerable to interception and replay attacks.
>  > If you're going to do it, you might as well do it right.
>  >
>  >      DS
>  >
>  > > Even though I wrote this, it turns out that this isn't the best way to
>  > > compute a message authentication code (MAC).  A more secure technique
>  > > is this:
>  > >
>  > >  $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
>  > > @consistency"))
>  > >
>  > > I explain the problems with the original scheme in the October issue
>  > > of Web Techniques.
>  > >
>  > > Lincoln
>  > >
>  > > --
>  > > ========================================================================
>  > > Lincoln D. Stein                           Cold Spring Harbor Laboratory
>  > > lsteinat_private                                   Cold Spring Harbor, NY
>  > > ========================================================================
>  > >
> --
> ========================================================================
> Lincoln D. Stein                           Cold Spring Harbor Laboratory
> lsteinat_private                                   Cold Spring Harbor, NY
> ========================================================================
>

--------------- qnevhfat_private ---------------
Kevin Littlejohn,
Development Engineer, Connect.com.au
----------- Oernxf guvatf sbe n yvivat -----------

Next message: Jarle Aase: "Re: A wee caveat - the freeware WAR-ftp server (most versions)"
Previous message: Frank Cusack: "Re: Annoying Solaris/CDE/NIS+ bug"
Maybe in reply to: Lincoln Stein: "Referer (was Patches for wwwboard.pl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:35 PDT