[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] MachineID fingerprinting

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] MachineID fingerprinting
Date: Wed, 8 Aug 2007 17:10:26 -0400

I suppose it depends on what the goal of the identifier is.  If the goal
is "See if the person using this account has some radically different
identifier than last time and thus needs further authentication" then
this approach works. If you goal is "Ensure that the person using this
account is using the exact same machine as last time" then it will not.

My gut feel is the more you increase your certainty about someone's
identity the more invasive/cumbersome your method must be. Just look at
client-side certs.

Billy Hoffman
--
Lead Researcher, SPI Labs
SPI Dynamics Inc. - http://www.spidynamics.com
Phone:  678-781-4800
Direct:   678-781-4845
Attend SPICON 2.0 - SPI Dynamics' User Conference - and earn CPE
credits. 
Sign up today at http://www.spicon2007.com/.

-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
Sent: Wednesday, August 08, 2007 4:12 PM
To: Billy Hoffman
Cc: robert@xxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] MachineID fingerprinting

> All the other solutions I've seen here involve installing something on
> the client's machine.

I've seen some that do not require installing anything however I can't
go to much into details :) 
I'm not looking at how to do it, I'm looking at the most popular
implementations, data gathered, and
most importantly the end result and accuracy. 

Points to consider (hoping to hear more specific examples)

- Intranet ips change
- Patch levels change: OS, browser plug-in's (flash/adobe), browsers,
etc...
- Hardware changes: disk drive upgrade, new network card, additional
drive addition
- Multi users sharing a machine (different os account names)
- Being able to support a reasonable change threshold. If more than X%
change then reregistration may be required. 

Regards,
- Robert 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] MachineID fingerprinting
  - From: Billy Hoffman
- Re: [WEB SECURITY] MachineID fingerprinting
  - From: robert

Prev by Date: [WEB SECURITY] [Mlabs-SecNiche] Bug Wars : The Lost Matrix of Security Vectors
Next by Date: Re: [WEB SECURITY] MachineID fingerprinting
Previous by thread: Re: [WEB SECURITY] MachineID fingerprinting
Next by thread: Re: [WEB SECURITY] MachineID fingerprinting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site