[1826] in WWW Security List Archive
Re: Restrictions group without ask for the password
daemon@ATHENA.MIT.EDU (Adam Shostack)
Mon Apr 15 21:38:00 1996
From: Adam Shostack <adam@lighthouse.homeport.org>
To: dmurray@pdssoftware.com
Date: Mon, 15 Apr 1996 19:39:46 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199604151429.JAA19539@homeport.org> from "Dave Murray" at Apr 15, 96 09:21:10 am
Errors-To: owner-www-security@ns2.rutgers.edu
Dave Murray wrote:
| > I wouldn't bother. If you're going to be using IP to handle
| > your authentication, your authentication will be so weak as to be
| > worthless.
|
| I realize this is a double-edged sword, but could you explain, or
| point me to an explanation, as to why this is so?
The essence of the answer is that IP is designed to route
packets, not to provide for authentication. There are attacks where a
host acts as a router, so that packets appear to come from that host
A, when in fact they come from host B.
Further, you don't want to give information to computers, you
want to give information to the users of those computers. You thus
want to make the user do something, such as type in a password, or
demonstrate their posession of a token, that gives some evidence that
they are authorized.
There are many articles on the web on IP spoofing.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
