Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 289024 11-Jan-2010 17:10
Send private message

You know, we could almost split this off into a discussion in the Development forum about the merits of authentication mechanisms, huh?

Personally, my approach is to not permit "remember me" functionality at all (my implementation doesn't need it). From there, I salt and SHA1 hash all passwords, and a login simply sets the session variables identifying what customer a session has authenticated as. If you needed auto login, I can't honestly imagine what method you'd use.




I finally have fibre!  Had to leave the country to get it though.




1209 posts

Uber Geek
+1 received by user: 56


  Reply # 289576 13-Jan-2010 11:21
Send private message

Ok so IP address comes from ISP. Will the IP vary by using different internet connection methods within one ISP?

ie is IP same or different when connecting via mobile broadband or landline broadband?

[EDIT] OR... between 2 same model huawei vodem devices?

 
 
 
 


16 posts

Geek


  Reply # 289579 13-Jan-2010 11:30
Send private message

Generally the IP address will be different. IP addresses are assigned out of a pool of available IP addresses. If you disconnect and then reconnect immediately it is possible that you will get the same IP address, but most likely you won't. It has nothing to do with who you are, where you are or what hardware you are using. It is solely based on the next available IP address in the pool of available IP addresses.


Edmund



1209 posts

Uber Geek
+1 received by user: 56


  Reply # 289586 13-Jan-2010 11:40
Send private message

Thanks, thats very helpful.

So is this pool a defined list of IP addresses between xxx and xxx for each company, ie an IP address when connecting with Telecom will never be given to a Vodafone customer because they have seperate pools to pick IPs from?

8020 posts

Uber Geek
+1 received by user: 386

Trusted
Subscriber

  Reply # 289675 13-Jan-2010 15:25
Send private message

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally. IANA works in cooperation with five Regional Internet Registries (RIRs) to allocate IP address blocks to Local Internet Registries (Internet service providers) and other entities.

Ref:
http://en.wikipedia.org/wiki/IP_address

Also worth noting most ISP's/companies have more than one block or range of ip addresses.

So to answer your question someone on Vodafone will not be assigned an ip address from a range owned/assigned to Telecom.


Also you can from an individual ip address find out the range/block it's in, thus which ISP/company it's assigned to and thus which region has allocated it.




16 posts

Geek


  Reply # 289716 13-Jan-2010 16:58
Send private message

Or Pa$$w0rd or P@ssw0rd Smile

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 289731 13-Jan-2010 17:27
Send private message

Who knows... :D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

147 posts

Master Geek
+1 received by user: 1


  Reply # 291219 19-Jan-2010 15:37
Send private message

freitasm:
friedCrumpet: Password in the cookie? I hope geekzone is well tested for XSS vulnerabilities!

Do you worry about Trade Me? They store passwords in plain text too...



Mauritio is correct, of course, to point out that we should not recycle passwords across websites.


That said -


TradeMe do appear to store passwords in plaintext serverside (which is a no-no in my book too), but a check of my TM cookies does NOT show a password stored in plaintext. They may have (finally!) gotten with the times on that one, or I may have missed a crumb or two somewhere.


However, Geekzone is using both a plaintext cookie, AND a GET redirect when visiting some GZ URLs (maybe just blogs?) when it does the funky 404.asp redirect. The cookie is right there in the URL when this happens.


So this is a little more compounded than what TM are doing, notwithstanding the fact that a security flaw in another site is not a reason to have one in your own.


The HTTP GET request is "even less private" than cookies. ISP and corporate proxies will be merrily logging passwords left right and centre for Geekzone users who choose to stay logged in.


Even if that was resolved, the plaintext cookie is an issue both at the client's computer (readable passwords on the PC itself, which can be easily borrowed or stolen) and on the wire between the visitor and GZ with every request.


It's easy to point at issues in other people's sites, and security is a never-ending task. I'm not being down on GZ for the current situation, but I am speaking in favour of improving the default security settings (and setting a good example) by doing the following -


  • Don't GET with sensitive details

  • Don't store creds plaintext, anywhere

  • Do keep track of authenticated sessions without requiring full creds each request. See hashes below.

  • Do use HTTPS logins by default (keeping auth concealed in all cases)


I don't claim to be a security expert; there are probably good improvements which can be added to this.



PS. Magu's suggestion of using hashes can work, esp if the hash includes more than just the auth details. Mauritio says that then people can just steal the hash, but this doesn't need to be so easy. 


Eg, make a hash of valid session ID, user IP, browser name and your own secret sauce; then supply that to the client along with the session ID. That increases the difficulty of faking a session via hijacked data significantly.


Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291222 19-Jan-2010 15:45
Send private message

I did notice the GET requests with the cookie contents in plain sight that xurizaemon mentioned on my switch back from Chrome to Safari.

And I support his list of DOs and DON'Ts 100%.

But enough of hijacking this thread. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown



1209 posts

Uber Geek
+1 received by user: 56


  Reply # 291337 19-Jan-2010 23:14
Send private message

Hey thats no problem , hijack away. It makes interesting reading even if its over my head.

I'll even hijack my own thread - anyone know where I can find Telecom's CDMA mobile broadband plans/costs online? I keep searching but only find XT prices.

147 posts

Master Geek
+1 received by user: 1


  Reply # 291521 20-Jan-2010 14:30
Send private message

But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

BDFL - Memuneh
59054 posts

Uber Geek
+1 received by user: 10338

Administrator
Trusted
Geekzone
Subscriber

Professional yak shaver
1599 posts

Uber Geek
+1 received by user: 8

Trusted
BitSignal
Subscriber

  Reply # 291533 20-Jan-2010 14:45
Send private message

xurizaemon:
But enough of hijacking this thread. ;D



Apologies for the threadjacking, please don't report me to the DHS.


In my defense, I noticed the issue separately and mentioned via DM to @freitasm on Twitter, and he pointed me this way :)

I actually meant that to myself. ;D




"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33


Vocus NZ sale and broadband competition
Posted 6-Nov-2017 14:36


Hawaiki reaches key milestone in landmark deep-sea fibre project
Posted 4-Nov-2017 13:53


Countdown launches new proximity online shopping app
Posted 4-Nov-2017 13:50


Nokia 3310 to be available through Spark New Zealand
Posted 4-Nov-2017 13:31


Nest launches in New Zealand
Posted 4-Nov-2017 12:31


Active wholesale as Chorus tackles wireless challenge
Posted 3-Nov-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.