Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Your opinions are solicited ...
From: "L.W." <eldub () POBOX COM>
Date: Tue, 31 Oct 2000 09:51:59 -0800

-> > -----Original Message-----
-> > From: Paul Robinson [mailto:paul () AKITANET CO UK]
-> > Sent: Tuesday, October 31, 2000 9:59 AM
-> >
-> > [...]
-> > In
-> > addition I'd probably do some session-authentication with
-> > changing cookies
-> > per transaction, combined with IP authentication.
-> > [...]
->
-> IP authentication? In today's world or access through NATed firewall
-> or proxy servers, or providers like AOL, all in an Internet
-> environment increasingly becoming akamaied... uhm... cached, I
-> strongly doubt that IP authentication is viable. Take AOL users for
-> example: One request appears to be coming from proxy1.aol.com, the
-> next request from proxy3.aol.com. That would mean that your 'IP
-> authenticated' web page will invalidate the second request.

Actually, many systems allow SSL sessions to bypass the proxy (many online
services, especially banks, require a direct connections for SSL).  This
makes IP-based authentication possible under that context, although not
guaranteed.

-LW
eldub () pobox com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault