[3842] in WWW Security List Archive
Re: web server's security -Reply
daemon@ATHENA.MIT.EDU (Jeremey Barrett)
Wed Dec 18 20:49:16 1996
Date: Wed, 18 Dec 1996 15:42:24 -0800 (PST)
From: Jeremey Barrett <jeremey@veriweb.com>
To: Javier Romeu <redsecurity@netculture.net>
cc: DAVE SANDERS <DSANDERS@fusn.com>, www-security@ns2.rutgers.edu
In-Reply-To: <199612181524.KAA09274@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 18 Dec 1996, Javier Romeu wrote:
> Well, as I said in a previous message, it's trivial for a Windoze
> user to install an identd server and spoof those responses. For
> example, Mirc, in File-Setup-Identd, let's specify this. Of course,
> if user is usgin Mirc at the same time he/she's browsing your pages
> you'll get the identd response he/she has set for Mirc, so you may get
> something like D0nt_Ask or r00t :)
Agreed. Whether non-existent or bogus, identd info should never be
used as a basis for authentication.
>
> > For the web server to collect this info, it has to connect to the
> > identd daemon, send a request, and get a reply. This is a
> > performance bottleneck in general, and since it will likely gain you
> > little information, is pretty useless IMO.
>
> If the identd response is needed to allow the incoming http connecion
> it may be a bottleneck. But could be also implemented so that both
> process run at the same time?
If the intent of the identd query is to provide information to a CGI
or similar purpose, the query _must_ be run before the CGI is forked,
else the information cannot be delivered. If it is simply for logging
purposes, it could be farmed off to some other process, but given
the uselessness of the data, it really wouldn't be worth it.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jeremey Barrett
Senior Software Engineer jeremey@veriweb.com
VeriWeb Internet Corp. http://www.veriweb.com/
PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64
PGP Public Key: http://www.veriweb.com/people/jeremey/pgpkey.html
"less is more." -- Mies van de Rohe.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMriBMy/fy+vkqMxNAQHjLwP9FeMvPfnWlDqqdsmNluZ2I9I8zLbUUobZ
RpBShfI+bbey3kGQF6Fm9K5SzsSF06VbEzFEIgzL8UU1i7rfLgK4cpfdfsuLvLPK
4HAvdh9aRoKTefTsxVRiYiRHtRzk7rvB6cuRd9tRNpoi9HQa7ozOwN1fVr7inQqM
0TmSLN9eW2k=
=FfWQ
-----END PGP SIGNATURE-----
