[Kolab-devel] Re: steffen: server/kolab-webadmin/kolab-webadmin/www/admin/user user.php, 1.3, 1.4

Martin Konold martin.konold at erfrakon.de
Tue May 25 12:36:51 CEST 2004


Am Tuesday 25 May 2004 11:37 am schrieb Bernhard Reiter:

Hi Bernhard,

> If there are security implications we should base
> it on arguments.

Excactly!

> As far as I understood it, Steffen is right in that
> an IP should not change during a session and protecting
> against this is a small added security measure.

Your assumption is wrong. There are _legitimate_(*) changes of the source 
address during a http session(**). 

As mentioned before there is not a single case where this extra code really 
helps to defend against a real attack but it breaks legitimate use cases.

My conclusion: Wrong solution to the wrong problem.

Yours,
-- martin
(*) Roaming Setups, DHCP clients, load balancing web proxies, redundant ISP 
links.....
(**) Please note that http is in contrast to popular believe not based on 
persistent connections!

Dipl.-Phys. Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold at erfrakon.de




More information about the devel mailing list