ASP authentification by ip-number

ASP authentification by ip-number
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
ASP authentification by ip-number Ralph Wiggum 04-24-2008
Posted by Ralph Wiggum on April 24, 2008, 2:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
How safe is it to use the client's ip-number versus posting a username/password
(in cleartext) in an http request? Assuming the client's ip-number is static.

A common use-case would be a web-forum, where only VIP-users should have access
to specific topics. Authentification by ip is certainly the most user-friendly,
as user don't have register/remember passwords, no?

Is ip-spoofing considered easier than picking up unencrypted usernames/passwords
from web-traffic?

Posted by Roger Abell [MVP] on April 27, 2008, 2:39 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.

It's probably safer than a usr/pwd cred exchange in the clear.

> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?

No. Yes, you are right, but after taking inital IP verified registration
and user being struck to registered IPs into account it seems that the
use-case gets pretty weak.

> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?

No in general, and certainly not for someone one a different subnet.




Posted by Steve Riley [MSFT] on April 28, 2008, 1:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Wrong approach. IP addresses identify machines, not humans. They are easily
spoofable, since they are always clear-text and are always unauthenticated.
Plus, with your approach, authorized users will be tied to specific
machines--they won't be able to access their information from other
computers.

User ID/password pairs are specifically designed for the scenario you've
described. Please use them.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
>
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?


Posted by Ralph Wiggum on April 28, 2008, 5:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Most of my users are behind their company's firewall. If I keep a database of
firewall ip-numbers and check incoming requests against the database, wouldn't
that be an ok solution?

Steve Riley [MSFT] wrote:
> Wrong approach. IP addresses identify machines, not humans. They are
> easily spoofable, since they are always clear-text and are always
> unauthenticated. Plus, with your approach, authorized users will be tied
> to specific machines--they won't be able to access their information
> from other computers.
>
> User ID/password pairs are specifically designed for the scenario you've
> described. Please use them.
>

Posted by S. Pidgorny on April 28, 2008, 5:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
No - for the same reasons. Why do you need extravagant authentication-like
schemes when many proper ways of authentication are available?

If you just need to allow certain IPs to access the Web site, just configure
restrictions and use anonymous access.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> Most of my users are behind their company's firewall. If I keep a database
> of firewall ip-numbers and check incoming requests against the database,
> wouldn't that be an ok solution?
> Steve Riley [MSFT] wrote:
>> Wrong approach. IP addresses identify machines, not humans. They are
>> easily spoofable, since they are always clear-text and are always
>> unauthenticated. Plus, with your approach, authorized users will be tied
>> to specific machines--they won't be able to access their information from
>> other computers.
>>
>> User ID/password pairs are specifically designed for the scenario you've
>> described. Please use them.
>>



Similar ThreadsPosted
Problem with HTTPS client authentification March 13, 2006, 3:30 pm

The site map in XML format XML site map

Contact Us | Privacy Policy