(keitai-l) Bad Security Decisions

From: Curt Sampson <cjs_at_cynic.net>
Date: 07/17/01
Message-ID: <Pine.LNX.4.33.0107171309210.10532-100000@denkigama.nat.shibuya.blink.co.jp>
On Tue, 17 Jul 2001, Kyle Barrow wrote:

> HTTP_REFERER: Self-explanatory and very useful additional security check.

Um...no. This is basically useless as far as security is concerned. C'mon,
we all know how to forge HTTP headers.

(Hundreds of issues a week come through BUGTRAQ, and I swear that eighty
percent of them are due to software developers making really bad decisions
about what data to use for authentication.)

> HTTP_X_UP_SUBNO: A globally unique subscriber ID. This is the first, best
> method for content personalization.

This is pretty horrible, I think, unless it can be turned off. I really
don't like the thought of having my browsing habits tracked to this
degree.

Even worse, I'd bet that more than one idiot web site developer is going
to decide that this constitutes a good authentication token. (See above
rant.) Which of course means you're giving every web site you visit the
ability to impersonate you to those sites that authenticate based on this.

(And no, authenticating based on this and IP address isn't enough, since
I can just use source address spoofing and sequence number guessing to
send commands, even if I can't see the responses. Not that IP address
will be useful anyway if a ton of phone companies start using this)

The more I think about it, the more this GUID seems like a really,
really bad idea.

cjs
-- 
Curt Sampson <cjs@cynic.net>  +81 3 5778 0123   de gustibus, aut bene aut nihil

Basically, a tool is an object that enables you to take advantage of the laws
of physics and mechanics in such a way that you can seriously injure yourself.
                                             --Dave Barry


[ Did you check the archives?   http://www.appelsiini.net/keitai-l/ ]
Received on Tue Jul 17 07:09:50 2001