Re:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

cookies.
cookies.
COOKIES. For god sake just listen to somebody. The only way to achieve
what you want is to send data to the client and get them to send it
back. That's a cookie. What you're looking for is exactly what Google
Analytics does, which I mentioned early yesterday. Hit vs. Unique
visitors, they even have a graph to show you this exact statistic.

Regarding this little gem: "Then it becomes impossible to know if a
page REALLY exists or if my emails are going where intended, or coming
from where stated... so am I to assume that traffic addressing in
general has FAILED?". No, like I said you cannot be sure of where
traffic is coming from or who is getting it with IP, TCP, or HTTP.
That's exactly right. In general, we can take it for granted that
messages most likely go where intended and most likely come from where
they claim to, but this is definitely open to attack and require
stronger protocols if you absolutely need to be sure of it. When you
search Google, you can feel pretty confident that the results really
come from Google because nobody has much to gain by sneaking in their
own results. When you connect to your bank's website, it's a much
different story and you shouldn't take anything for granted: you need
additional protection outside of these three protocols.

TLS and SSL use cryptographic techniques to authenticate end points in
the communication and to encrypt and sign the data being transmitted
so that you can verify it was not tampered with along the way.

If you want more information on how to use cookies for what you're
doing, I'd be happy to help, and we can probably take the discussion
off-list. If you're not willing to use cookies, you can encode it in
the URL, and I can help you with that as well. But either way, you are
relying on the user to send the information back in tact. If you can't
trust your end users to do that and it's important that you know for
sure, you will need TLS or SSL. I can hep you get started with these,
but there are others on this list with much more knowledge on the
subject than myself.

-Brian

On Wed, Nov 11, 2009 at 4:28 PM, Stephen Love <stephenlove@xxxxxxxx> wrote:
>
> Hmmm... somewhat new to the inner details... all I know is what I research
> on my own... have not had a book-learning course on this... but TLS... what
> is that? AND... I simply want a list of source identifiers of incoming
> requests so that I can check each new one for duplicate incoming source...
> just a HITS vs UNIQUE VISITORS. I want NOTHING MORE. I can do add'l tracking
> based on time, date, etc, on my own. Just site usage statistics.
>
> See us online at http://www.LOVEnCompany.com.
>
> ---------- Original Message ----------
> From: Brian Mearns <mearns.b@xxxxxxxxx>
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re: 
> Date: Tue, 10 Nov 2009 22:34:24 -0500
>
> On Tue, Nov 10, 2009 at 6:37 PM, Eric Covener <covener@xxxxxxxxx> wrote:
>> On Tue, Nov 10, 2009 at 6:20 PM, Stephen Love <stephenlove@xxxxxxxx>
>> wrote:
>>> So what you are telling me is that there IS no REAL 2-way handshaking
>>> going
>>> on. Then we've lost ALL hope of security.
>>>
>>
>> What's "REAL" in this context?  It's not authenticated and doesn't
>> result in some session establishment unless you configure your
>> application to require/manage such a thing?
>>
>> --
>> Eric Covener
>> covener@xxxxxxxxx
> [clip]
>
> Yes, why don't you tell us exactly what you want to do, what's your
> end goal? Visitor stats? Geographic locating? Authentication of a
> real-world identity? There's a lot of very bright and very
> knowledgeable people on this list, so if there's any way at all to do
> what you want, then there is a very good chance that somebody here
> will be able to tell you. It just might not be done the way you think
> it should be.
>
> As many of us have said, TCP is an end to end protocol. And in fact,
> it is stateful, so you can send messages back and forth between the
> two end points for as long as the connection is open. There is a
> handshake that goes on between the two end points to setup this
> connection, but this is not any sort of real authentication process
> that confirms the identity of either end. What TCP gets you is pretty
> good confidence that you are talking to the same person you were when
> you started the conversation, but even that confidence is really only
> upheld in the absence of active attacks like IP spoofing, and it
> provides absolutely no confidence that there aren't other people
> listening to the conversation, and potentially even participating in
> the conversation.
>
> If you're looking for security: like making sure no one else is
> listening to the conversation, no one else is modifying the
> conversation data, and or making sure that the person on the other end
> is who they claim to be...then you're going to need a much more
> sophisticated protocol than TCP, IP, or HTTP. SSL/TLS provides all
> these things, with the latest TLS version believed to be quite secure
> with current technologies and techniques. HTTPS layers HTTP over a
> secure SSL or TLS connection, and is available in Apache with mod_ssl.
>
> Your comment that "we've lost ALL hope of security" is quite accurate
> with regards to HTTP, TCP, and IP alone. These protocols were really
> not designed with any attention to security as security wasn't really
> an acknowledged concern at the time they were created. Thus we have
> add on protocols like SSL and TLS.
>
> Anyway, back to my point: tell us what you're actually trying to do
> and there's a good chance someone can help you, as long as you're
> willing to let go of any preconceived notions on how to get the job
> done (that's always the biggest stumbling block to learning something
> new).
>
> Cheers,
> -Brian
>
> --
> Feel free to contact me using PGP Encryption:
> Key Id: 0x3AA70848
> Available from: http://keys.gnupg.net
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
> ____________________________________________________________
> Pharmacy Assistant School
> Earn a Pharmacy Technician Degree. Get free info and Apply Today!
>



-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux