Re: Session Fixation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 31 March 2003 12:17 pm, HarryM wrote:
> > "binding" some session identifier to an IP address is not only

Ok, so you've mitigated some of the risks of relying on IP addrs with procedrual and policy protections, which just goes to show that you can't rely on IPs. Heh.

> I agree that for a public system intended to work with as many ISPs and

Actually, I think suggesting to anyone that they invest in half-measures when their time can be better spent elsewhere is even more damaging. On the one hand, I can see your argument: it raises the bar ever so slightly, which is a good thing. But I don't think it's a good _enough_ thing. Consider that most people implementing these systems _aren't_ experts. They understand IP, they understand networking, but they don't really think about how to break things, so relying on IP seems "good enough". Giving the un-informed bad choices and telling them to get it right is a receipe for disaster if ever I've seen one.

So I stand by my opinion, if only because it leaves much less room for confusion among those who don't really grok all the complexities you seem willing to deal with, and because it matches the reality of truly untrustable networks. I find it much better to recommend things that work, are strong, and can address the core issues of session management rather than to hem and haw about the "nice to have" things that could possibly, sometimes, maybe provide some protection.

IP "locking" provides very little benefit for lots of tail chasing, and it distracts newbie security developers from much more pressing problem and much better solutions. For those reasons, I continue to give it a big thumbs down.

• -- Alex Russell alex@netWindows.org alex@SecurePipe.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iD8DBQE+iK8hoV0dQ6uSmkYRAtVHAJ960aq8OW9kWIYwR439WH/I4Ga3bQCfSt7v macQFkPSA2tHb9KfxWHioNI=
=xfF3
-----END PGP SIGNATURE----- Received on Mon Mar 31 16:16:04 2003