rcwash@us.ibm.com wrote:
> I have been subscribed for almost a week
> and haven't received a single email, so it is hard to get a feel for what
> topics are appropriate.
I have found that the ideas discussed on these lists translate very well into practical security concerns, such as creating CGI sessions that are difficult to hijack. MIT-X-MAGIC-COOKIES made sense as well, once I realized that they are "capability keys."
(although Mr. Shapiro may not agree, since they are in userland rather than OSland.)
I maintain a system at UMKC in which the help desk staff have exclusive access to a set of CGI interfaces. The exclusivity was guarded by registering the IP addresses used by the help desk staffers.
The building's IP infrasturucture has [up|down]graded to use dhcp instead of static assignment, so a new security paradigm was required.
Based on the ideas discussed on these lists, I set up a system in which the staffer's web browser software would get cookied with a capability key, so that authorization now follows the particular machine rather than the particular IP address.
David Nicol 816.235.1187 nicold@umkc.edu
eating cheese on toast, peering through the snow, etc