From: Richard L. <ce...@l-...> - 2002-07-24 22:03:50
|
>> As posted earlier, IPCop uses the HTTP-REFERER >> to make more sure that you're surfing from your own >> internal box, and some hacker hasn't hijacked the >> session. > >Just how secure is this? Faking the referer isn't difficult (or have I >missed something?), and it is only an optional header and as we know not all >browsers send it. One might argue that a security conscious user would turn >off the referer in their browser. > >(I used to use the referer to check for bogus form submissions from a web >form, and had to change tactic due to the number of failed submisisons >resulting from the lack of referer header.) There was a long thread on how this was actually useful on the SW list. I understood it and it made sense at the time I read it, but I've forgotten the details completely. Certainly REFERER can be forged, and not all browsers consistently provide them based on how you get from URL A to URL B, but in this one case, the REFERER was a quick hack that made sense in the specific context of its usage. All by itself REFERER is useless -- In the context it was used, it helped verify something useful. You'd have to dig out the thread from somebody's Unofficial archive of SW lists, since AFAIK there are no official archives (Grrrr.) of that content. -- Like Music? http://l-i-e.com/artists.htm I'm looking for a PRO QUALITY two-input sound card supported by Linux (any major distro). Need to record live events (mixed already) to stereo CD-quality. Soundcard Recommendations? Software to handle the recording? Don't need fancy mixer stuff. Zero (0) post-production time. Just raw PCM/WAV/AIFF 16+ bit, 44.1KHz, Stereo audio-to-disk. |