On Wed, Nov 11, 2009 at 1:56 PM, Brian Mearns <mearns.b@xxxxxxxxx> wrote: > cookies. > cookies. > COOKIES. For god sake just listen to somebody. The only way to achieve > what you want is to send data to the client and get them to send it > back. That's a cookie. What you're looking for is exactly what Google > Analytics does, which I mentioned early yesterday. Hit vs. Unique > visitors, they even have a graph to show you this exact statistic. > > Regarding this little gem: "Then it becomes impossible to know if a > page REALLY exists or if my emails are going where intended, or coming > from where stated... so am I to assume that traffic addressing in > general has FAILED?". No, like I said you cannot be sure of where > traffic is coming from or who is getting it with IP, TCP, or HTTP. > That's exactly right. In general, we can take it for granted that > messages most likely go where intended and most likely come from where > they claim to, but this is definitely open to attack and require > stronger protocols if you absolutely need to be sure of it. When you > search Google, you can feel pretty confident that the results really > come from Google because nobody has much to gain by sneaking in their > own results. When you connect to your bank's website, it's a much > different story and you shouldn't take anything for granted: you need > additional protection outside of these three protocols. > > TLS and SSL use cryptographic techniques to authenticate end points in > the communication and to encrypt and sign the data being transmitted > so that you can verify it was not tampered with along the way. > > If you want more information on how to use cookies for what you're > doing, I'd be happy to help, and we can probably take the discussion > off-list. If you're not willing to use cookies, you can encode it in > the URL, and I can help you with that as well. But either way, you are > relying on the user to send the information back in tact. If you can't > trust your end users to do that and it's important that you know for > sure, you will need TLS or SSL. I can hep you get started with these, > but there are others on this list with much more knowledge on the > subject than myself. > > -Brian > > On Wed, Nov 11, 2009 at 4:28 PM, Stephen Love <stephenlove@xxxxxxxx> wrote: >> >> Hmmm... somewhat new to the inner details... all I know is what I research >> on my own... have not had a book-learning course on this... but TLS... what >> is that? AND... I simply want a list of source identifiers of incoming >> requests so that I can check each new one for duplicate incoming source... >> just a HITS vs UNIQUE VISITORS. I want NOTHING MORE. I can do add'l tracking >> based on time, date, etc, on my own. Just site usage statistics. >> >> See us online at http://www.LOVEnCompany.com. >> >> ---------- Original Message ---------- >> From: Brian Mearns <mearns.b@xxxxxxxxx> >> To: users@xxxxxxxxxxxxxxxx >> Subject: Re: >> Date: Tue, 10 Nov 2009 22:34:24 -0500 >> >> On Tue, Nov 10, 2009 at 6:37 PM, Eric Covener <covener@xxxxxxxxx> wrote: >>> On Tue, Nov 10, 2009 at 6:20 PM, Stephen Love <stephenlove@xxxxxxxx> >>> wrote: >>>> So what you are telling me is that there IS no REAL 2-way handshaking >>>> going >>>> on. Then we've lost ALL hope of security. >>>> >>> >>> What's "REAL" in this context? It's not authenticated and doesn't >>> result in some session establishment unless you configure your >>> application to require/manage such a thing? >>> >>> -- >>> Eric Covener >>> covener@xxxxxxxxx >> [clip] >> >> Yes, why don't you tell us exactly what you want to do, what's your >> end goal? Visitor stats? Geographic locating? Authentication of a >> real-world identity? There's a lot of very bright and very >> knowledgeable people on this list, so if there's any way at all to do >> what you want, then there is a very good chance that somebody here >> will be able to tell you. It just might not be done the way you think >> it should be. >> >> As many of us have said, TCP is an end to end protocol. And in fact, >> it is stateful, so you can send messages back and forth between the >> two end points for as long as the connection is open. There is a >> handshake that goes on between the two end points to setup this >> connection, but this is not any sort of real authentication process >> that confirms the identity of either end. What TCP gets you is pretty >> good confidence that you are talking to the same person you were when >> you started the conversation, but even that confidence is really only >> upheld in the absence of active attacks like IP spoofing, and it >> provides absolutely no confidence that there aren't other people >> listening to the conversation, and potentially even participating in >> the conversation. >> >> If you're looking for security: like making sure no one else is >> listening to the conversation, no one else is modifying the >> conversation data, and or making sure that the person on the other end >> is who they claim to be...then you're going to need a much more >> sophisticated protocol than TCP, IP, or HTTP. SSL/TLS provides all >> these things, with the latest TLS version believed to be quite secure >> with current technologies and techniques. HTTPS layers HTTP over a >> secure SSL or TLS connection, and is available in Apache with mod_ssl. >> >> Your comment that "we've lost ALL hope of security" is quite accurate >> with regards to HTTP, TCP, and IP alone. These protocols were really >> not designed with any attention to security as security wasn't really >> an acknowledged concern at the time they were created. Thus we have >> add on protocols like SSL and TLS. >> >> Anyway, back to my point: tell us what you're actually trying to do >> and there's a good chance someone can help you, as long as you're >> willing to let go of any preconceived notions on how to get the job >> done (that's always the biggest stumbling block to learning something >> new). >> >> Cheers, >> -Brian >> >> -- >> Feel free to contact me using PGP Encryption: >> Key Id: 0x3AA70848 >> Available from: http://keys.gnupg.net >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> ____________________________________________________________ >> Pharmacy Assistant School >> Earn a Pharmacy Technician Degree. Get free info and Apply Today! >> > > > > -- > Feel free to contact me using PGP Encryption: > Key Id: 0x3AA70848 > Available from: http://keys.gnupg.net > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > Stephen Love I followed the advice on your email signature and decided to see you online at http://www.LOVEnCompany.com, I'm pretty sure this is what you're looking for: http://help.yahoo.com/l/us/yahoo/geocities/addons/counter/counter-01.html --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|