On Saturday, 10 November 2001 10:39 PM, Kyle Barrow wrote:
>> Checking for phone type is an excellent idea. We add a timestamp in
the encrypted UID but doesn't network resolution dramatically increase
transaction time?
The network verification feature will take a little more time to
impliment, but in a nutshell.
Network resolution is best done as a secondary (background) process
connected to logging of users details in an activity log. A separate
task (in C) scans the database and verifys the details of all logged in
users, if it finds somehting unverifyable then it logs out the user on
that session.
On a low demand site (and lets face it what iMode site isnt low demand
considering the bandwidth of users) it will run more or less real time
with no effect on the processing or display of page data.
The loophole is that a hacker could potentially imitate a phone user for
a single page request, until the monitoring program caught up and logged
them off. That's provided that they can correctly guess the 64 bit ID
of one of the currently logged in users in the first place and the
firewall doesn't pick the attack before that case.
Not perfect but perhaps the best that can be achieved for now without a
generic security layer.
When we release as Open Source I'll be interested to see how people can
improove on the model.
Regards,
David Davies
http://www.intadev.com
[ Need archives? How to unsubscribe? http://www.appelsiini.net/keitai-l/ ]
Received on Mon Nov 12 09:42:15 2001