[2326] in WWW Security List Archive
Re: REMOTE_HOST and REMOTE_ADDR security
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?J=FCri_Kaljundi?=)
Fri Jul 5 16:22:04 1996
Date: Fri, 5 Jul 1996 19:34:33 +0300 (EET DST)
From: =?ISO-8859-1?Q?J=FCri_Kaljundi?= <jk@stallion.ee>
To: Micah Brandon <brandon@vv.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <2.2.32.19960705155307.006ceef0@eniac.vv.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Fri, 5 Jul 1996, Micah Brandon wrote:
> At 07:10 PM 6/25/96 +0300, J=FCri Kaljundi wrote:
> >The question is, how safe can I be in assuming, that in case I know the
> >user coming from a certain machine (using REMOTE_HOST or _ADDRESS), can =
I
> >be sure nobody else can make my server think they are coming from the sa=
me
> >machine? There will be no proxies in between, the connection will be
> >between the clients PC and www server (Apache).
>=20
> I would say because you have absolutely no control over these
> variables, you wouldn't want to put a security system in place where your=
IP
> was your password. However, statistically speaking, you'd have a pretty
> good representation of who was hitting your server if you only wanted to =
log
> remote hosts & IPs...since MOST people aren't spoofing their address.
Well the exact situation that a local company is using is this. They use
an SSL server, which means no proxy-cache is in use between the client and
server. HTTP Basic Authentication is not used, instead a client has to
give the username and password in a WWW form and cgi script uses these
values to do authentication. After that the server uses clients IP adress
to allow the client use some cgi scipts or data, that should be available
to that client only. When the user leaves, they have to access a certain
script to leave the server, thus freeing the IP address.
When I use at the same time 2 SSL-capable clients from a multiuser machine
like a Unix box, once the first client has logged in, I can access first
clients data, as the IP address is the same.
So as long the server is sure, that client comes from a single-user
machine, they can use IP authentication. If it would be possible to spoof
the IP address of some sinlge-user machine, you would also get access to
the other clients personal data.
J=FCri Kaljundi
AS Stallion
jk@stallion.ee
