Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Panayiotis A. Thermos (pthermos_at_telcordia.com)
Date: Thu Aug 08 2002 - 16:38:40 CDT
Mike, as I said in my earlier messages we (mailing list) don't know
the application requirements to offer more specific suggestions.
On the other hand, yes the current methods that are used to identify
users/terminals sounds unorthodox and insecure.
I would add one more thing to your 3-item list.
User-ID and password authentication.
Although certificates provide a good way to identify, authenticate and
users they do not protect against certificate fraud. I have friends and
that implement certificate authentication but lack additional controls in
the certificate is stolen In some environments this risk is acceptable
there are other compensating mechanisms. In others is not.
But again, _your_ environment and requirements may limit you as to what
you can do.
<mshawwwisp. To: webappsecsecurityfocus.com
com> cc: (bcc: Panayiotis A. Thermos/Telcordia)
Subject: Re: Client IP - from client or server?
Just to kind of further clarify my situation...
After analyzing what they were doing, I summarized their security plans
1 - Limit certain logins to certain physical locations
2 - Limit certain logins to certain terminals
3 - Identify each terminal for hardware profiles
Based on this and after looking at various limitations in the enterprise, I
recommended IP (addresses,ranges,groups,or subnets) for 1, and client certs
for 2 and 3. This was all well and good, until I saw a java applet screen
scraping IP config for the mac address and IP address and submitting it to
the app via a form field (file under "unclear on the concept"). Of course,
I cried foul--indicating the obvious problems with this method and
indicating that getting the IP from the web server was the way to
go. After some vigorous nodding of heads, they went back to coding.
Then I saw the results. Someone read this article:
http://www.jguru.com/faq/view.jsp?EID=15832 and decided simply replacing
the screen scrape would fix the problem.
I'm still trying to explain why this is a Bad Idea. However arguing with a
million monkeys typing on a million keyboards with a million JDK's (all
having their egos constantly stroked), I was beginning to doubt
myself--"this is a screwy idea, isn't it?".
However, y'all have affirmed my thinking.