Sessions

Perry E. Metzger perry at piermont.com
Mon Jun 16 11:07:10 EDT 2003


Jill.Ramonsky at Aculab.com writes:
> I think I understand this, but I'm not sure if it matters. It seems to me
> that a false negative (failed login) is not particularly serious,

Er, it is if you have to pay $5 or $10 in customer support fees
dealing with the irate customer who spends half an hour or more with
you on the phone upset that he can't log in to his bank account,
especially since the problem will be very difficult for anyone
involved to diagnose or explain. Multiply that by tens of thousands of
calls, and you're talking about real money. Failures like that are a
large fraction of banking costs. Part of the point of on-line banking
for banks is to raise margins, so if you piss all the money away on
support costs and many people can't use the system you're sunk.

> So ... if you find that you can't log in from work (or anywhere you
> may have distributed proxies), tough.

A large fraction, if not the majority, of users are currently behind
proxies and NATs. I doubt it would be possible to block them on that
basis without it being financially ruinous.

In any case, given the various spoofing methods available,
authenticating based on IP address seems rather weak, though I don't
see why a cookie couldn't be tied to an address just to raise the bar
a little if it didn't stop use for proxied/NATed users.

FYI, I would strongly suggest reading the original paper on session ID
fixation/theft -- it goes over a number of ways that IDs can be
mishandled and a number of possible coping strategies.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list