socket security
Erno Kuusela
erno-news at erno.iki.fi
Sat Apr 6 18:12:01 EST 2002
In article <40sr8.3765$rg3.345703 at news-binary.blueyonder.co.uk>,
Alastair Nicol <calaban.madness at blueyonder.co.uk> writes:
| 2) Also when a client connects to a socket the server gets the IP address
| of the client. Is this the "real" ip number? Ive heard you can spoof IP
| numbers so what hoops are needed to validate that the client is really that
| client.
yes, it is trivial to forge the source address of ip packets.
if the attacker wants to do 2 way communication with the forged
address, he will also need to intercept the packets that are sent to
the phony address. (this is easy if the attacker is on the same lan,
by using eg arp spoofing.)
many tcp implementations have fairly unpredictable initial sequence
numbers, so 2 way communication is required to set up a tcp
connection.
| openSSL is an option i would like to use, but for reasons to numerious to
| list here, i cant.
if you only need authentication, it's easy to roll your own
shared-secret system by using sha or md5 from the standard
library. this requires you to handle distributing the secrets to
clients somehow. see eg "digest authentication" in
<URL: http://www.faqs.org/rfcs/rfc2617.html>.
-- erno
More information about the Python-list
mailing list