Re: Session Fixation - IPs are bad angle

I specifically said "in the context of *WEB* services" to avoid this kind of response, my post wasn't a blanket statement at all! I've also spent some time in this thread *defending* the use of IP as a part of securing a web application.... Nor did I say that IP is useless for identifying a client (if it were, what would be the point in it?), I said, that it's *unreliable* when considering *web services* because of people's tendency to desguise it with proxies and NATs and so on.

Of course there's nothing wrong with a "deny from all/allow from blah" kind of setup, I also use a similar scheme, but that's not comparable to the discussion in the rest of this thread; vis, how to secure a web application deployed over the web for use by hundereds/thousands of people all with different system configurations and levels of understanding.

Finally, I don't say things like "Never Do That", and "a definite no-no" when speaking about security. In a subject that's this complex, such phrases leave far too little room to maneuver. I agree with your last 3 paragraphs. I don't agree that I was doing any of those things, however.

HarryM

• Original Message ----- From: "Jordan Frank" <jfranka@sfu.ca> To: "HarryM" <harrym@the-group.org>; <webappsec@securityfocus.com> Sent: Tuesday, April 01, 2003 4:34 AM Subject: Re: Session Fixation - IPs are bad angle

> HarryM wrote,
it
> | should never be depended on for anything - least of all security.
solely
> on IPs to protect my data. I'm also not even going to rely on passwords or
I
> always check the fingerprint). Actually, I think I'll use Hidden Form
Fields
> to maintain the state, and I'll use a Session ID that is assigned by the
form
> fields are also a definite no-no"?).
my
> TCP Sequence numbers are as random as the jokes on The Family Guy (ie.
open
> on the server are https and ssh (ssh is also setup to only allow
connections
> from a single IP, but a username and password are used for logging in,
fingerprint).
>
> I also have about 5 thousand credit card numbers, 5 thousand social
all
> encrypted using ROT13, in a MySQL database. The username and password for
in
> the protected area of the site (ouch, another whole gaggle of no-no's).
The
> index.cgi just uses string concatenation to build the SQL query from the
data
> on this server. So I challenge you to get the data. Describe how you do it
to
> actually retrieve it (bonus points if you can code the exploits for the
to
> just this paragraph...but who likes short posts anyways...
learn
> about security. You do not learn about security by reading the security
understand
> why they shouldn't use them, and that's going to build a much more
informed
> community of developers...just my opinion though, i could be wrong...
Received on Tue Apr 1 10:41:16 2003