[55] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

Anonymous Session ID

daemon@ATHENA.MIT.EDU (hallam@dxal18.cern.ch)
Wed Aug 17 19:16:26 1994

From: hallam@dxal18.cern.ch
To: www-security@ns1.rutgers.edu
Cc: hallam@dxal18.cern.ch
Date: Wed, 17 Aug 94 13:18:55 +0200


Hi,

	At WWW'94 #1 Dave Ragget made a suggestion that an anonymous session
ID be added to the HTTP protocol. This could be used for making traffic
analysis and to tune servers amongst other things. The characteristics of the
Id should be :-

1) That it be guaranteed unique.
2) That it be untraceable to the originator.

i would like to add in an extra parameter that is guaranteed to increase
monotonicaly. This can then be used to prevent replay attacks. NB the time
is useless for this since different hosts may be in different timezones and
not all hosts have GMT, and those that do cannot be guaranteed to be accurate.



I have implemented this in Shen for the time being. As follows:-

A number of parameters concerning the host are taken and concatenated to form
a string which is then hashed.

For example The string might be:  726069f14156a3fb2361f8ptsun02
Which is hashed to give:          P8SjbDp5Wjc65HZOofFC2w==

The first anon Id is therefore :-
Anonymous-ID: P8SjbDp5Wjc65HZOofFC2w==, 0

The second :-
Anonymous-ID: P8SjbDp5Wjc65HZOofFC2w==, 1


Added security:

The current system allows rather too much traffic analysis. Is it desirable
for example for a server to know how many other servers have been accessed
in the mean time? A browser could of course use a different id for every
host.

Also multithreaded browsers are a problem. For these I would like to use
give the thread number/id first:-

Anonymous-ID: P8SjbDp5Wjc65HZOofFC2w==, A, 0
Anonymous-ID: P8SjbDp5Wjc65HZOofFC2w==, A, 1

etc..

Or should the thread id be always used? This is the current implementation
at any rate.


In some cases the Anon id is essential for security work. For example in order
to get a criminal prosecution for hacking it is neccessary to demonstrate
intent. This is quite hard on the net (I didn't know where the anchor lead to!).
So there must be a facility to put up a warning page the first time access
to a secure resource is attempted. The Annon session id permits this.

I know that this makes the protocol non-idempotent and creates server side
state. This is not the real point behind the idempotence requirement of HTTP.
This stems from the irritating "session" paradigm of NNTP, FTP etc where the
client engages in an entirely pointless negotiation of information that could
be sent in a request/response fashion much more easily.


    Phill H-B

home help back first fref pref prev next nref lref last post