Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
In addition to standard form authentication, IP address has been added as the security factor. Means change of IP address drops user session.
Personally I think this is overhelmed solution and does not provide real value. Also something tells me that possible situations when IP address could be changed legally.
Need to mention, that we do not have "remember me" check box and we just consumer, e-commers application.
So questions:
Does IP could be security factor?
Is there something that could change IP address during surfing (proxies, anonimazers, speed-boosters)?
You should not rely on the IP address for authentication, not even for enhanced authentication.
There are a lot of scenarios where an IP address changes during surfing, you mentioned some. Others include: Switch to a VPN, restart of router, reset of connection by the ISP.
The first time I ran into this problem was many years ago, due to AOL users. With the AOL software at the time, browser requests would go through AOL's proxy farm and could come from a different IP address on every request. Certainly the same thing can happen today, for many reasons. Your web app must not rely on the IP address being constant. Use cookies instead.
Not only are there legitimate ways for an IP to change, but there are illegitimate ways for a sophisticated user to spoof someone's IP whose info they were trying to steal.
So this approach can inconvenience real users and provide more tools for the bad guys.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Can I use XAMPP for real to serve to WWW, not just my localhost? I see some warnings in some articles on internet not to do that and that XAMPP is for testing only and that hackers will screw it up... If so, what kind of SPECIFIC security holes and problems does it have that is not secure to serve for real?
I don't want some lose answers. I want SPECIFIC answer about the security holes or weaknesses of XAMPP. Thanks!
This is not an answer, more a long comment.
Here be Dragons:
The issue with the 'out of the box' XAMPP setup is that all the passwords are defaults and everyone knows them. You need to change every password. If you are not using certain services then disable them if you don't want to bother changing the password.I disabled DAV for this reason. I use XAMPP as an internet facing server and never have bother. I am on version 1.7.7. been using it for years.
If you are using it on a 'home' network with dynamic ip. If you want a domain name then you need to use a service that provides support for your ip address changing regularly. i use 'dyn' but there are others.
As #Braders has commented. Security is a major issue! Get it wrong and your server will be used for all sorts of nasties, both to your pc and others on the internet. I would suggest an external scan for security issues before you leave it permanently connected to the internet.
I set my server up a few years ago and i am starting to remember all the checks i made at the time. It took many days before i could 'trust' it. Lots of time looking at the access logs etc.
If you are not sure then do not do it. It is very easy to get the setup wrong.
The major issue with running any server is that you are making 'holes' in the firewall and that can be 'interesting' as to what comes in.
As was also mentioned by Braders, you really do need to check with your internet provider to ensure it is allowed by your agreement.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I have a client app that faces the internet, but only clients will access. The site should never be indexed or crawled or viewed outside of our clients. We always concerned about DDOS and attempts to gain access. If the system can add one more level of being hidden, or harder to find, I don't see the negatives.
Users will never have to enter the domain name (think kiosks), and admins can use bookmarks. Yes, security by obscurity is no solution and never relied upon. But if you can add it to an existing and robust secured system, why not?
Is there any downside to having a random domain name like j398sh3-3nj23j.com?
I would love to hear some thoughts and opinions.
If you're never using where anyone will see it (even by rDNS on an incoming connection from your server), then the only real drawback is that you're paying for it when you could as easily use a random subdomain under a domain you already control (e.g. j398sh3-3nj23j.example.com).
But it'll provide zero protection from DDOS or attempts to gain access, as anyone who is in a position to extract a normal domain name from your client app will probably be able to extract this random domain name just as easily, and they may not even bother with domain names and just get the IP address your client is connecting to anyway.
Emphatically speaking, that's useless. As was pointed out above, using some subdomain of your own would cost less, be saner, and have more utility.
If you have a number of nodes on a private network that is not physically private, use a good VPN system and machine authentication with certificates. If you do that, nothing is accessible except the Internet-facing VPN software, and that can easily ignore anything that's not legitimate.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'll be using a shared Internet connexion starting this September at my school and I was wondering about what someone sniffing traffic with Wireshark may find there. I am not planing to do this myself but I feel I ought to know more about it if I want to sometimes work on my website during class.
Basically, isn't every non-SSL website that asks you for a password and an e-mail totally unsecure to log on on a shared connexion? When you know how many people use the same password for all their web/laptop/mobile accounts, it doesn't take long to get access to someone's all private data if you manage to sniff one password and e-mail.
As for me, I am already looking at how to secure my FTP connexions, but what about my users who log through HTTP? Unless I buy a SSL certificate (which I don't want, the site's too small), they are going to get more exposed to Wireshark sniffers all over the world, right? Isn't this where login tools such as OpenID become handy for small communities, since they do provide a free encryption of passwords?
OpenID and SSL are completely unrelated. OpenID's purpose is to consolidate and give ownership of a user's identity to the user, while SSL is used to keep a user's traffic with your site secret (encrypted). You can use OpenId to keep track of the user (like Stackoverflow does) and still not use SSL for the content pages.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Sometimes when I look up the WHOIS information for some domains, I see that their nameservers are forwarded to a service like ZoneEdit or Domain Control. I've never understood what the purpose is for doing this but I have a feeling it has to do with hiding the nameserver so someone who does a WHOIS on the domain can't figure out which service the site is hosted under.
Can someone please explain this to me?
There is all sorts of reasons someone may use a service like this:
Their webhost doesn't provide DNS. Especially true for people running their own VPS (you'd need 2, for backup DNS).
Their webhost provides DNS, but it is bad; it is slow, it drops out, whatever it may be.
They use multiple webhosts and want to keep all the DNS in one place.
I'm sure there's many more, but these are the obvious ones.
On a related note, for many web hosts you can look up the owner of the IP range that the web server is in if you want to know what company is ultimately hosting a website. This will turn up some info, though the company that owns the IP may not be the person that is being paid directly by a site owner for hosting on that IP.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
I have been a .net developer for the past three yrs. Just curious to know about the network security field. What kind of work does the developers working in these area do? I really have not much idea about network security but what my understanding is these people are involved in securing network, preventing attacks on network as obvious. Could any one please give me some details about this field and also what does it take to move to this field.
Take a look at "Security Engineering" by Ross Anderson. The first edition and part of the second are available for free online here. While he talks about many non-network issues, the principles mostly apply.
Network security is a vast subject. On the developer side, I think you would most likely be concerning yourself with lots of encryption schemes and process security. There are basic things like using SSL for network traffic of a program to more advanced subjects like preventing any traces of a sensitive operation from remaining in RAM after a program has processed (and probably encrypted) it.
Today, you would need to become an expert in TCP/IP protocols. Everything from ARP, DNS, UDP, ICMG, BGP, and on and on. Most networks are IP-based, with IP-based firewalls. The firewalls will allow, for example, "TCP traffic on port 80" to come through. You need to be able to understand if that traffic is valid web surfing, DOS attack, or otherwise malicious. This can only be accomplished with detailed understanding of how IP networks work. Ditto for other protocols like DNS. In addition, lower-level understanding of ethernet communications and other means of transport (like cell phone networks or WiFi networks) would be important. I suppose it depending on what you mean by "network security" - to me this is below the application layer.