|
|
Posted by Ezra Nugroho on 07/08/05 22:01
True. People can steal sessions within a firewall as well.
Unless if browsers can do digital signature, there is no a good way to
validate users.
I think you would agree that for now it comes down to two choices:
1. Focus on convenience, let security slack a little or
2. Focus on security, and tolerate some inconvenience.
W3C, please do something!!
On Fri, 2005-07-08 at 14:53 -0400, Michael Caplan wrote:
> I just was reading a thread on the PHPSEC list, where one of the developers
> of FUD Forums was (Ilia) was mentioning his experience with AOL users. He
> claims that IPs can change as frequently as every request to the server.
> I've also noted similar (but not as drastic) effects. IPs are really not a
> good fingerprint for a user, unless you are fine with invalidating users on
> a frequent basis
>
> Michael
>
> > -----Original Message-----
> > From: Ezra Nugroho [mailto:enugroho@spikesource.com]
> > Sent: Friday, July 08, 2005 11:49 AM
> > To: Michael Caplan
> > Subject: RE: [PHP] Re: Security, Late Nights and Overall Paranoia
> >
> > True, but it's better than nothing.
> >
> > IP doesn't change that often, maybe at worst once every hour.
> > Sensitive cookies should not live that long anyway.
> >
> > It's not a great solution, but it's something.
> >
> >
> >
> > On Fri, 2005-07-08 at 14:41 -0400, Michael Caplan wrote:
> > > IPs are unreliable. An ip will change frequently if a user travels
> > through
> > > a proxy pool, like AOL users, or just about any user from a large ISP.
> > >
> > > Michael
> > >
> > > > -----Original Message-----
> > > > From: Ezra Nugroho [mailto:enugroho@spikesource.com]
> > > > Sent: Friday, July 08, 2005 11:25 AM
> > > > To: Edward Vermillion
> > > > Cc: php Lists
> > > > Subject: Re: [PHP] Re: Security, Late Nights and Overall Paranoia
> > > >
> > > >
> > > > Here is one security measure that you HAVE to do if you allow people
> > to
> > > > submit contents to your site.
> > > >
> > > >
> > > > 1. track client's IP.
> > > > 2. Associate sensitive cookies with the IP, if they don't match,
> > ignore
> > > > it or invalidate the cookie.
> > > >
> > > > We may not stop the information redirection.
> > > > We can make the information invalid.
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Ezra
> > > >
> > > >
> > > >
> > > > On Fri, 2005-07-08 at 12:31 -0500, Edward Vermillion wrote:
> > > > > On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote:
> > > > >
> > > > > >
> > > > > > I am just wondering, how could someone craft an html to steal
> > cookies?
> > > > > > If your cookie distribution is done right, I don't think you need
> > to
> > > > > > worry about this.
> > > > > >
> > > > >
> > > > > That's what XSS is all about. I don't have the link handy but I do
> > have
> > > > > a PDF file that I found
> > > > > a while back that explains how this happens, and to tell the truth,
> > it
> > > > > scared the s*** outa me.
> > > > > To the point that I really don't trust any online commerce, although
> > I
> > > > > do still use it, just as
> > > > > I still give the waitress/waiter my credit card at a restaurant,
> > even
> > > > > though I know that's where
> > > > > most of the identity theft/stolen CC numbers comes from.
> > > > >
> > > > > > There are a gazillion of sites (CMS-based, wiki-based, etc,
> > including
> > > > > > php.net) that allow users to contribute html. They are not concern
> > > > > > about
> > > > > > security of data delivery.
> > > > >
> > > > > Yeah I know... :P
> > > > >
> > > > > >
> > > > > > I think, page breaking html is more prominent issue, which you
> > could
> > > > > > eliminate with BBcode or wiki language.
> > > > > >
> > > > > > Perhaps you are being a little paranoid?
> > > > > > Or do I miss something?
> > > > > >
> > > > >
> > > > > So yeah, I'm being paranoid but I'm also trying to cover as many
> > bases
> > > > > as I can and yet
> > > > > still provide some decent functionality.
> > > > >
> > > > >
> > > > > Edward Vermillion
> > > > > evermillion@doggydoo.net
> > > > >
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, visit: http://www.php.net/unsub.php
> > >
> > >
> > >
> > > CONFIDENTIALITY NOTICE
> > > This message contains confidential information intended only for the use
> > of
> > > the individual or entity named as recipient. Any dissemination,
> > distribution
> > > or copying of this communication by anyone other than the intended
> > recipient
> > > is strictly prohibited. If you have received this message in error,
> > please
> > > immediately notify us and delete your copy. Thank you.
> > >
> > > AVIS DE CONFIDENTIALITÉ
> > > Les informations contenues aux présentes sont de nature privilégiée et
> > > confidentielle. Elles ne peuvent être utilisées que par la personne ou
> > > l'entité dont le nom paraît comme destinataire. Si le lecteur du présent
> > > message n'est pas le destinataire prévu, il est par les présentes prié
> > de
> > > noter qu'il est strictement interdit de divulguer, de distribuer ou de
> > > copier ce message. Si ce message vous a été transmis par mégarde,
> > veuillez
> > > nous en aviser immédiatement et supprimer votre copie. Merci.
> > >
Navigation:
[Reply to this message]
|