[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] MachineID fingerprinting

From: "White, Dain P" <dainw@xxxxxxx>
Subject: RE: [WEB SECURITY] MachineID fingerprinting
Date: Wed, 8 Aug 2007 10:40:02 -0700

One way to do this would be via MAC address, though I don't think the
client exposes that to the network it connects to. 

In theory (haven't done it and may not be qualified to comment) it might
be possible to write a client application the user downloads (in .net)
that they would need to run before connecting. That application would
look up the mac address and write it to an encrypted cookie that the
server could then read for comparison against a database. 

Can I write such a client? Nope. Should I have even commented? It's only
2 cents, you get what you pay for...

~Dain


-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
Sent: Wednesday, August 08, 2007 10:25 AM
To: robert.purvis@xxxxxxx
Cc: robert@xxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] MachineID fingerprinting

I am talking about device fingerprinting not IP fingerprinting. 
I am specifically looking for people who have reviewed such technologies
and their experiences with them (not
a vendor response).


Regards,
- Robert 
http://www.webappsec.org/
http://www.cgisecurity.com/
> 
> A web server can identify the IP address of incoming requests - maybe
that
> is what the Bank of America do. But this can easily be sidestepped if
your
> request goes through a proxy. 
> 
> 
> Robert Purvis 
> Principal Technical Specialist 
> 
> 
> Systems and Service Delivery 
> NHS Connecting for Health 
> 01392 206691 
> robert.purvis@xxxxxxx 
> www.connectingforhealth.nhs.uk 
> 
> -----Original Message-----
> From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
> Sent: 08 August 2007 05:24
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] MachineID fingerprinting 
> 
> Yo list!
> 
> Has anyone had any experience with machineid technologies on the list?
> Specifically the ability to identify 1 machine and the ability to
identify
> multiple users on the same machine either using javascript or via an
> installed application.
> 
> For example Bank of america uses this technology to some exist to
remember
> your machine and provide additional challenge responses if it doesn't
> recognize it. If you've evaluated a technology and found it to be
worthless
> I am also interested in finding out why.
> 
> Thanks
> - Robert
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> 
>
------------------------------------------------------------------------
----
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> **********************************************************************
> This message  may  contain  confidential  and  privileged information.
> If you are not  the intended  recipient please  accept our  apologies.
> Please do not disclose, copy or distribute  information in this e-mail
> or take any  action in reliance on its  contents: to do so is strictly
> prohibited and may be unlawful. Please inform us that this message has
> gone  astray  before  deleting it.  Thank  you for  your co-operation.
> 
> NHSmail is used daily by over 100,000 staff in the NHS. Over a million
> messages  are sent every day by the system.  To find  out why more and
> more NHS personnel are  switching to  this NHS  Connecting  for Health
> system please visit www.connectingforhealth.nhs.uk/nhsmail
> **********************************************************************
> 


------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] MachineID fingerprinting
  - From: robert.purvis
- Re: [WEB SECURITY] MachineID fingerprinting
  - From: robert

Prev by Date: Re: [WEB SECURITY] MachineID fingerprinting
Next by Date: Re: [WEB SECURITY] MachineID fingerprinting
Previous by thread: Re: [WEB SECURITY] MachineID fingerprinting
Next by thread: Re: [WEB SECURITY] MachineID fingerprinting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site