I agree that using IP's for security is generally bad form. IP's can be
spoofed. IP's aren't unique, nor are they necessarily the same every time for
a user - e.g. NTT & AOL users appear to come from one of a few proxy servers.
However, screening by IP does appear to be effective in keeping people from
downloading content to their browsers, especially i-appli's
--Jason
--- Nik Frengle <eseller@eimode.com> wrote:
> One of the problems with using an IP address as a security measure on i-mode
> is that for each request an i-mode phone sends, the IP address is different,
> albeit from the same server. I discovered this when I attempted to use the
> PHP 4.0 sessions feature with IP verification, though I would have
> discovered it earlier if I had checked. So, what I did was to only check the
> first three fields in the IP address, which should nonetheless have come
> from one of the two i-mode server IP addresses that DoCoMo has listed.
> Still, it is not very secure. The main problem is that allocating a new IP
> number to an i-mode phone every time they send a request is insecure. For
> newer phones, each request can have the utn attribute, which sends a phone's
> serial number along with the other user-agent information, but this doesn't
> work on the majority of i-mode phones, meaning those in the 501, 502, or 209
> series. And on the ones that do support it, it annoyingly asks a user every
> time this is sent, which wouldn't work if you used this in place of a
> session id. So, what to do? Become an official DoCoMo site, since then you
> would get this information in each and every request.
> This is from the approach of keeping people out who you don't want in. If
> you AREN'T an official i-mode site, why not let everyone in? You won't be
> part of the official i-mode payment system anyway, so why not make your site
> accesible to everyone? Most of the sites on the lists of official providers,
> I found, didn't actually check IP addresses of requests. But of course if
> you want something in their subscription menu they do check. Kyle's
> excellent i-mimic sends the correct P209is user agent, so using that I was
> able to connect to pretty much all of the sites except Citibank's. Since I
> am a user of their service, I was pretty happy to see that they were
> checking IPs, but for the majority of applications, which do not involve
> money or personal information, I wonder how neccesary this is...apparently
> most providers don't feel it neccesary.
> -Another Nik
>
> ----- Original Message -----
> From: "Nick May" <nick@kyushu.com>
> To: <keitai-l@appelsiini.net>
> Sent: Saturday, July 14, 2001 3:56 AM
> Subject: (keitai-l) Re: iappli download for emulator without docomo email
> address
>
>
> >
> > >> >
> > >> >so in those cases only, do a reverse dns lookup to see if it resolves
> > >to
> > >> >docomo, THEN auto update the list of permitted IP's from which
> requests
> > >> >will be accepted....
> > >> >
> >
> > keitai-l@appelsiini.net writes:
> > >Does anyone if this is commonly being done? If so, faking the headers
> > >won't do
> > >any good, unless....maybe browsing from the NTT Docomo network
> >
> > I am fairly sure it is not commonly done - but I sure as hell will be
> > doing it as soon as I can code it up...
> >
> > Nick
> >
> >
> > [ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
> >
> >
> >
> >
>
>
> [ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
>
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
[ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
Received on Sat Jul 14 19:19:09 2001