[3836] in WWW Security List Archive
Re: web server's security -Reply
daemon@ATHENA.MIT.EDU (Javier Romeu)
Wed Dec 18 11:56:06 1996
From: "Javier Romeu" <redsecurity@netculture.net>
To: DAVE SANDERS <DSANDERS@fusn.com>
Date: Wed, 18 Dec 1996 16:20:59 +0100
Reply-to: redsecurity@netculture.net
CC: www-security@ns2.rutgers.edu
X-Confirm-Reading-To: redsecurity@netculture.net
Errors-To: owner-www-security@ns2.rutgers.edu
Hi,
> The only way this information can be gained is by running an identd
> check (a query to the identd daemon on the _client's_, i.e.
> brower's, machine) on the socket connected to the browser. identd is
> 1) not run by alot of people on their machines (Unix), and 2)
> non-existent on windoze machines.
Well, as I said in a previous message, it's trivial for a Windoze
user to install an identd server and spoof those responses. For
example, Mirc, in File-Setup-Identd, let's specify this. Of course,
if user is usgin Mirc at the same time he/she's browsing your pages
you'll get the identd response he/she has set for Mirc, so you may get
something like D0nt_Ask or r00t :)
> For the web server to collect this info, it has to connect to the
> identd daemon, send a request, and get a reply. This is a
> performance bottleneck in general, and since it will likely gain you
> little information, is pretty useless IMO.
If the identd response is needed to allow the incoming http connecion
it may be a bottleneck. But could be also implemented so that both
process run at the same time?
Regards,
Javier
________________________________________________________
**************** R E D S e c u r i t y ****************
Javier Romeu, Manager.
mailto:redsecurity@netculture.net
Web: http://www.netculture.net/~redsecurity
Tel: +34-3-2098048 Fax: +34-3-2048105
Especialistas en *Seguridad* Informatica
********************************************************
