(keitai-l) Re: Bad Security Decisions

From: Kyle Barrow <kyle_at_X-9.com>
Date: 07/17/01
Message-ID: <NDBBIBLMOEECJPBNJNKCIENGCJAA.kyle@X-9.com> 
Absolutely agreed that HTTP_REFERER by itself is dangerous and can be faked
and I should have been clearer on this point. HTTP_REFERER is still useful
when used in combination with SSL key verification.

HTTP_X_UP_SUBNO is sent from EZWeb (Openwave) phones, just as DoCoMo sends
user IDs to official content sites; not sure if EZWeb phones let you turn
this off, does anyone know?

I am not arguing the privacy considerations, which I think should be up to
the individual user, but it is a useful header from a developer's point of
view. Agreed that someone could use HTTP_X_UP_SUBNO incorrectly but this
person has probably already created a security nightmare without the help of
HTTP_X_UP_SUBNO ;)


Kyle



X-9 DESIGN LAB
http://www.X-9.com

-----Original Message-----
From: keitai-l-bounce@appelsiini.net
[mailto:keitai-l-bounce@appelsiini.net]On Behalf Of Curt Sampson
Sent: Tuesday, July 17, 2001 1:20 PM
To: keitai-l@appelsiini.net
Subject: (keitai-l) Bad Security Decisions

On Tue, 17 Jul 2001, Kyle Barrow wrote:

> HTTP_REFERER: Self-explanatory and very useful additional security check.

Um...no. This is basically useless as far as security is concerned. C'mon,
we all know how to forge HTTP headers.

(Hundreds of issues a week come through BUGTRAQ, and I swear that eighty
percent of them are due to software developers making really bad decisions
about what data to use for authentication.)

> HTTP_X_UP_SUBNO: A globally unique subscriber ID. This is the first, best
> method for content personalization.

This is pretty horrible, I think, unless it can be turned off. I really
don't like the thought of having my browsing habits tracked to this
degree.

Even worse, I'd bet that more than one idiot web site developer is going
to decide that this constitutes a good authentication token. (See above
rant.) Which of course means you're giving every web site you visit the
ability to impersonate you to those sites that authenticate based on this.

(And no, authenticating based on this and IP address isn't enough, since
I can just use source address spoofing and sequence number guessing to
send commands, even if I can't see the responses. Not that IP address
will be useful anyway if a ton of phone companies start using this)

The more I think about it, the more this GUID seems like a really,
really bad idea.

cjs


[ Did you check the archives?   http://www.appelsiini.net/keitai-l/ ]
Received on Tue Jul 17 14:10:33 2001