Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 289024 11-Jan-2010 17:10
Send private message

You know, we could almost split this off into a discussion in the Development forum about the merits of authentication mechanisms, huh?

Personally, my approach is to not permit "remember me" functionality at all (my implementation doesn't need it). From there, I salt and SHA1 hash all passwords, and a login simply sets the session variables identifying what customer a session has authenticated as. If you needed auto login, I can't honestly imagine what method you'd use.




I finally have fibre!  Had to leave the country to get it though.




1209 posts

Uber Geek
+1 received by user: 56


  Reply # 289576 13-Jan-2010 11:21
Send private message

Ok so IP address comes from ISP. Will the IP vary by using different internet connection methods within one ISP?

ie is IP same or different when connecting via mobile broadband or landline broadband?

[EDIT] OR... between 2 same model huawei vodem devices?

 
 
 
 


16 posts

Geek


  Reply # 289579 13-Jan-2010 11:30
Send private message

Generally the IP address will be different. IP addresses are assigned out of a pool of available IP addresses. If you disconnect and then reconnect immediately it is possible that you will get the same IP address, but most likely you won't. It has nothing to do with who you are, where you are or what hardware you are using. It is solely based on the next available IP address in the pool of available IP addresses.


Edmund



1209 posts

Uber Geek
+1 received by user: 56


  Reply # 289586 13-Jan-2010 11:40
Send private message

Thanks, thats very helpful.

So is this pool a defined list of IP addresses between xxx and xxx for each company, ie an IP address when connecting with Telecom will never be given to a Vodafone customer because they have seperate pools to pick IPs from?

8020 posts

Uber Geek
+1 received by user: 386

Trusted
Subscriber

  Reply # 289675 13-Jan-2010 15:25
Send private message

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally. IANA works in cooperation with five Regional Internet Registries (RIRs) to allocate IP address blocks to Local Internet Registries (Internet service providers) and other entities.

Ref:
http://en.wikipedia.org/wiki/IP_address

Also worth noting most ISP's/companies have more than one block or range of ip addresses.

So to answer your question someone on Vodafone will not be assigned an ip address from a range owned/assigned to Telecom.


Also you can from an individual ip address find out the range/block it's in, thus which ISP/company it's assigned to and thus which region has allocated it.




16 posts

Geek


  Reply # 289716 13-Jan-2010 16:58
Send private message

Or Pa$$w0rd or P@ssw0rd Smile

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 289731 13-Jan-2010 17:27
Send private message

Who knows... :D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

147 posts

Master Geek
+1 received by user: 1


  Reply # 291219 19-Jan-2010 15:37
Send private message

freitasm:
friedCrumpet: Password in the cookie? I hope geekzone is well tested for XSS vulnerabilities!

Do you worry about Trade Me? They store passwords in plain text too...



Mauritio is correct, of course, to point out that we should not recycle passwords across websites.


That said -


TradeMe do appear to store passwords in plaintext serverside (which is a no-no in my book too), but a check of my TM cookies does NOT show a password stored in plaintext. They may have (finally!) gotten with the times on that one, or I may have missed a crumb or two somewhere.


However, Geekzone is using both a plaintext cookie, AND a GET redirect when visiting some GZ URLs (maybe just blogs?) when it does the funky 404.asp redirect. The cookie is right there in the URL when this happens.


So this is a little more compounded than what TM are doing, notwithstanding the fact that a security flaw in another site is not a reason to have one in your own.


The HTTP GET request is "even less private" than cookies. ISP and corporate proxies will be merrily logging passwords left right and centre for Geekzone users who choose to stay logged in.


Even if that was resolved, the plaintext cookie is an issue both at the client's computer (readable passwords on the PC itself, which can be easily borrowed or stolen) and on the wire between the visitor and GZ with every request.


It's easy to point at issues in other people's sites, and security is a never-ending task. I'm not being down on GZ for the current situation, but I am speaking in favour of improving the default security settings (and setting a good example) by doing the following -


  • Don't GET with sensitive details

  • Don't store creds plaintext, anywhere

  • Do keep track of authenticated sessions without requiring full creds each request. See hashes below.

  • Do use HTTPS logins by default (keeping auth concealed in all cases)


I don't claim to be a security expert; there are probably good improvements which can be added to this.



PS. Magu's suggestion of using hashes can work, esp if the hash includes more than just the auth details. Mauritio says that then people can just steal the hash, but this doesn't need to be so easy. 


Eg, make a hash of valid session ID, user IP, browser name and your own secret sauce; then supply that to the client along with the session ID. That increases the difficulty of faking a session via hijacked data significantly.


Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291222 19-Jan-2010 15:45
Send private message

I did notice the GET requests with the cookie contents in plain sight that xurizaemon mentioned on my switch back from Chrome to Safari.

And I support his list of DOs and DON'Ts 100%.

But enough of hijacking this thread. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



1209 posts

Uber Geek
+1 received by user: 56


  Reply # 291337 19-Jan-2010 23:14
Send private message

Hey thats no problem , hijack away. It makes interesting reading even if its over my head.

I'll even hijack my own thread - anyone know where I can find Telecom's CDMA mobile broadband plans/costs online? I keep searching but only find XT prices.

147 posts

Master Geek
+1 received by user: 1


  Reply # 291521 20-Jan-2010 14:30
Send private message

But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

BDFL - Memuneh
59077 posts

Uber Geek
+1 received by user: 10348

Administrator
Trusted
Geekzone
Subscriber

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291533 20-Jan-2010 14:45
Send private message

xurizaemon:
But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

I actually meant that to myself. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Phone prices rising as users move upmarket
Posted 24-Nov-2017 17:16


Talking net neutrality on RNZ Nine-to-Noon
Posted 24-Nov-2017 12:11


Air New Zealand experiments with blockchain technology
Posted 23-Nov-2017 15:39


Symantec selects Amazon Web Services to deliver cloud security
Posted 23-Nov-2017 10:40


New Zealand Ministry of Education chooses Unisys for cloud-based education resourcing management system
Posted 22-Nov-2017 22:00


Business analytics software powers profits for NZ wine producers
Posted 22-Nov-2017 21:52


Pyrios strikes up alliance with Microsoft integrator UC Logiq
Posted 22-Nov-2017 21:51


The New Zealand IT services ecosystem - it's all digital down here
Posted 22-Nov-2017 21:49


Volvo to supply tens of thousands of autonomous drive compatible cars to Uber
Posted 22-Nov-2017 21:46


From small to medium and beyond: Navigating the ERP battlefield
Posted 21-Nov-2017 21:12


Business owners: ERP software selection starts (and finishes) with you
Posted 21-Nov-2017 21:11


Why I'm not an early adopter
Posted 21-Nov-2017 10:39


Netatmo launches smart home products in New Zealand
Posted 20-Nov-2017 20:06


Huawei Mate 10: Punchy, long battery life, artificial intelligence
Posted 20-Nov-2017 16:30


Propel launch Disney Star Wars Laser Battle Drones
Posted 19-Nov-2017 21:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.