Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
2950 posts

Uber Geek
+1 received by user: 438

Trusted
Subscriber

  Reply # 289024 11-Jan-2010 17:10
Send private message

You know, we could almost split this off into a discussion in the Development forum about the merits of authentication mechanisms, huh?

Personally, my approach is to not permit "remember me" functionality at all (my implementation doesn't need it). From there, I salt and SHA1 hash all passwords, and a login simply sets the session variables identifying what customer a session has authenticated as. If you needed auto login, I can't honestly imagine what method you'd use.




I finally have fibre!  Had to leave the country to get it though.




1220 posts

Uber Geek
+1 received by user: 58


  Reply # 289576 13-Jan-2010 11:21
Send private message

Ok so IP address comes from ISP. Will the IP vary by using different internet connection methods within one ISP?

ie is IP same or different when connecting via mobile broadband or landline broadband?

[EDIT] OR... between 2 same model huawei vodem devices?

16 posts

Geek


  Reply # 289579 13-Jan-2010 11:30
Send private message

Generally the IP address will be different. IP addresses are assigned out of a pool of available IP addresses. If you disconnect and then reconnect immediately it is possible that you will get the same IP address, but most likely you won't. It has nothing to do with who you are, where you are or what hardware you are using. It is solely based on the next available IP address in the pool of available IP addresses.


Edmund



1220 posts

Uber Geek
+1 received by user: 58


  Reply # 289586 13-Jan-2010 11:40
Send private message

Thanks, thats very helpful.

So is this pool a defined list of IP addresses between xxx and xxx for each company, ie an IP address when connecting with Telecom will never be given to a Vodafone customer because they have seperate pools to pick IPs from?

8020 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 289675 13-Jan-2010 15:25
Send private message

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally. IANA works in cooperation with five Regional Internet Registries (RIRs) to allocate IP address blocks to Local Internet Registries (Internet service providers) and other entities.

Ref:
http://en.wikipedia.org/wiki/IP_address

Also worth noting most ISP's/companies have more than one block or range of ip addresses.

So to answer your question someone on Vodafone will not be assigned an ip address from a range owned/assigned to Telecom.


Also you can from an individual ip address find out the range/block it's in, thus which ISP/company it's assigned to and thus which region has allocated it.




16 posts

Geek


  Reply # 289716 13-Jan-2010 16:58
Send private message

Or Pa$$w0rd or P@ssw0rd Smile

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 289731 13-Jan-2010 17:27
Send private message

Who knows... :D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

147 posts

Master Geek
+1 received by user: 1


  Reply # 291219 19-Jan-2010 15:37
Send private message

freitasm:
friedCrumpet: Password in the cookie? I hope geekzone is well tested for XSS vulnerabilities!

Do you worry about Trade Me? They store passwords in plain text too...



Mauritio is correct, of course, to point out that we should not recycle passwords across websites.


That said -


TradeMe do appear to store passwords in plaintext serverside (which is a no-no in my book too), but a check of my TM cookies does NOT show a password stored in plaintext. They may have (finally!) gotten with the times on that one, or I may have missed a crumb or two somewhere.


However, Geekzone is using both a plaintext cookie, AND a GET redirect when visiting some GZ URLs (maybe just blogs?) when it does the funky 404.asp redirect. The cookie is right there in the URL when this happens.


So this is a little more compounded than what TM are doing, notwithstanding the fact that a security flaw in another site is not a reason to have one in your own.


The HTTP GET request is "even less private" than cookies. ISP and corporate proxies will be merrily logging passwords left right and centre for Geekzone users who choose to stay logged in.


Even if that was resolved, the plaintext cookie is an issue both at the client's computer (readable passwords on the PC itself, which can be easily borrowed or stolen) and on the wire between the visitor and GZ with every request.


It's easy to point at issues in other people's sites, and security is a never-ending task. I'm not being down on GZ for the current situation, but I am speaking in favour of improving the default security settings (and setting a good example) by doing the following -


  • Don't GET with sensitive details

  • Don't store creds plaintext, anywhere

  • Do keep track of authenticated sessions without requiring full creds each request. See hashes below.

  • Do use HTTPS logins by default (keeping auth concealed in all cases)


I don't claim to be a security expert; there are probably good improvements which can be added to this.



PS. Magu's suggestion of using hashes can work, esp if the hash includes more than just the auth details. Mauritio says that then people can just steal the hash, but this doesn't need to be so easy. 


Eg, make a hash of valid session ID, user IP, browser name and your own secret sauce; then supply that to the client along with the session ID. That increases the difficulty of faking a session via hijacked data significantly.


Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291222 19-Jan-2010 15:45
Send private message

I did notice the GET requests with the cookie contents in plain sight that xurizaemon mentioned on my switch back from Chrome to Safari.

And I support his list of DOs and DON'Ts 100%.

But enough of hijacking this thread. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



1220 posts

Uber Geek
+1 received by user: 58


  Reply # 291337 19-Jan-2010 23:14
Send private message

Hey thats no problem , hijack away. It makes interesting reading even if its over my head.

I'll even hijack my own thread - anyone know where I can find Telecom's CDMA mobile broadband plans/costs online? I keep searching but only find XT prices.

147 posts

Master Geek
+1 received by user: 1


  Reply # 291521 20-Jan-2010 14:30
Send private message

But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

BDFL - Memuneh
60329 posts

Uber Geek
+1 received by user: 11360

Administrator
Trusted
Geekzone
Lifetime subscriber

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291533 20-Jan-2010 14:45
Send private message

xurizaemon:
But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

I actually meant that to myself. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41


Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44


Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52


ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10


Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43


Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14


UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.