Re: [WEB SECURITY] MachineID fingerprinting

[robert@xxxxxxxxxxxxx]

> One way to do this would be via MAC address, though I don't think the
> client exposes that to the network it connects to.=20

This is the sort of thing I'm talking about however using more system checkpoints such as
browser utilized, username, patchlevels (although there are specific challenges here when updates happen), etc...


> In theory (haven't done it and may not be qualified to comment) it might
> be possible to write a client application the user downloads (in .net)
> that they would need to run before connecting. That application would
> look up the mac address and write it to an encrypted cookie that the
> server could then read for comparison against a database.=20

There are companies that do this sort of thing and I'm looking at how effective they are or have been for
people on this list. 

> Can I write such a client? Nope. Should I have even commented? It's only
> 2 cents, you get what you pay for...


:)

Thanks!
- Robert
http://www.webappsec.org/
http://www.qasec.com/



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]