[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] MachineID fingerprinting

From: Daniel McLaughlin <daniel.mclaughlin@xxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] MachineID fingerprinting
Date: Wed, 8 Aug 2007 18:44:43 +0100

I have successfully used client certificates using SSLv3 to authenticate between servers before beginning an LDAP based authentication, it was tricky to implement in ColdFusion due to my inexperience and lack of suitable libraries (its supported in the new version cf8) but I have been informed that it can be done with relative ease using java. The authentication sequence is like this

Client server authenticates using their cert
Target server responds with its certificate
If the certificates match what is in the respective keystores the authentication is sucessful and you can then move to stage 2

This technique relies on being able to securely deliver the server certificate and having an appropriate mechanism for revocation

I should also mention that this is what can be used for a vpn with openvpn

Regards

D

----- Original Message -----
From: robert@xxxxxxxxxxxxx <robert@xxxxxxxxxxxxx>
To: robert.purvis@xxxxxxx <robert.purvis@xxxxxxx>
Cc: robert@xxxxxxxxxxxxx <robert@xxxxxxxxxxxxx>; websecurity@xxxxxxxxxxxxx <websecurity@xxxxxxxxxxxxx>
Sent: Wed Aug 08 18:25:07 2007
Subject: Re: [WEB SECURITY] MachineID fingerprinting

I am talking about device fingerprinting not IP fingerprinting.
I am specifically looking for people who have reviewed such technologies and their experiences with them (not
a vendor response).


Regards,
- Robert
http://www.webappsec.org/
http://www.cgisecurity.com/
>
> A web server can identify the IP address of incoming requests - maybe that
> is what the Bank of America do. But this can easily be sidestepped if your
> request goes through a proxy.
>
>
> Robert Purvis
> Principal Technical Specialist
>
>
> Systems and Service Delivery
> NHS Connecting for Health
> 01392 206691
> robert.purvis@xxxxxxx
> www.connectingforhealth.nhs.uk
>
> -----Original Message-----
> From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx]
> Sent: 08 August 2007 05:24
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] MachineID fingerprinting
>
> Yo list!
>
> Has anyone had any experience with machineid technologies on the list?
> Specifically the ability to identify 1 machine and the ability to identify
> multiple users on the same machine either using javascript or via an
> installed application.
>
> For example Bank of america uses this technology to some exist to remember
> your machine and provide additional challenge responses if it doesn't
> recognize it. If you've evaluated a technology and found it to be worthless
> I am also interested in finding out why.
>
> Thanks
> - Robert
> http://www.webappsec.org/
> http://www.cgisecurity.com/
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
> **********************************************************************
> This message  may  contain  confidential  and  privileged information.
> If you are not  the intended  recipient please  accept our  apologies.
> Please do not disclose, copy or distribute  information in this e-mail
> or take any  action in reliance on its  contents: to do so is strictly
> prohibited and may be unlawful. Please inform us that this message has
> gone  astray  before  deleting it.  Thank  you for  your co-operation.
>
> NHSmail is used daily by over 100,000 staff in the NHS. Over a million
> messages  are sent every day by the system.  To find  out why more and
> more NHS personnel are  switching to  this NHS  Connecting  for Health
> system please visit www.connectingforhealth.nhs.uk/nhsmail
> **********************************************************************
>


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


If you are not the intended recipient, or person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute or retain this message or any part of it. The opinions/views/comments on this e-mail do not necessarily reflect any views or policies of BizNet. The recipient should check this email and any attachments for the presence of viruses. BizNet accepts no liability for any damage caused by any virus transmitted by this email. BizNet Solutions 2007

BizNet Solutions Ltd. is a Company registered in Northern Ireland, Company Reg: NI 39404

Head Office 133-137 Lisburn Road, Belfast, Northern Ireland, BT9 7AG

Follow-Ups:
- Re: [WEB SECURITY] MachineID fingerprinting
  - From: robert

Prev by Date: Re: [WEB SECURITY] MachineID fingerprinting
Next by Date: Re: [WEB SECURITY] MachineID fingerprinting
Previous by thread: RE: [WEB SECURITY] MachineID fingerprinting
Next by thread: Re: [WEB SECURITY] MachineID fingerprinting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site