RE: Re[6]: [Phplib-users] new Session4 changes
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: Re[6]: [Phplib-users] new Session4 changes
|
From: Rob H. <rob...@ws...> - 2002-12-03 13:36:17
|
And now you are willing to make the situation one layer more complex? I do not know what ISPs in Russia are doing, I can only speak for those in the US and Western Europe, and a large number of them are going to caches in an attempt to remain competative. As high speed services such as DSL are deployed that are a fraction of the cost of traditional dedicated services, the business customers that carry the brunt of the cost are no longer doing so. That means that the ISP has to reduce cost, and they are currently doing that with higher oversubscription on the bandwidth. Then, to reduce the bandwidth requirements, they are installing cache farms not only close to the POPs but at the NAP also to cache anything that they can. To the point where large emails are being delayed until the network throughput drops bellow a threshold. What this boils down to is that currently roughly 1/3 to 1/2 of traffic is currently routed through a chache. AOL is the largest ISP currently doing this but Earthlink also does, and AT&T, BT, and MCI are in trials. AT&T is about to come out of those trials. There are several ISPs in Western Europe in particular that we have heard from users that they could be to sites even though the server sitting in front of me was turned off, so I know that it is fairly wide spread. Take into account that another 1/3 of the traffic is from behind nat devices and the IP address becomes not only an unreliable marker, but a false layer of security. I understand the goals, but there just is not a reasonable answer right now. If the information being transmitted is that sensitive, then it should be done with a hard token anyway. You have to realize that XSS vulnerabilities are not highly exploited because that may get someone access to one account, one credit card #, one bank account. Attacks are mainly aimed at the system as a whole, the web server, db server, application itself because the potential payoff is much higher... Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > -----Original Message----- > From: Maxim Derkachev [mailto:max...@bo...] > Sent: Monday, December 02, 2002 12:13 PM > To: Rob Hutton > Cc: php...@li... > Subject: Re[6]: [Phplib-users] new Session4 changes > > > > RH> So what you end up with is something that sounds good on > paper, but causes > RH> problems in MANY situations. Can you imagine being the > sysadmin and trying > RH> to figure out why sessions just go away for SOME people, SOME > of the time? > > Well, I'm just this kind of sysadmin, and I'm fed up of persuading > users to turn their cookies on, because many of them don't read that > cookies must work on our site, others don't know what the cookies are > and don't know how to turn it on back. And sometimes browsers f@#k up and > don't handle cookies properly (e.g. Opera6.01 and IE6 in some > installations). And sometimes proxies cache cookies with other headers > and send them to everybody using those proxies. I have the situation > when the session just go away for SOME people, in SOME circumstances, > and I have it now. And I understand that we live in not such a > perfect world > where things are beyond our control in spite of rich and available > specifications. So, don't expect that this is so uncommon - such > things will last forever. > I just sat down and calculated a bit. Let us have the stats of cookie > usage - the stats are available everywhere. In Russia it is common > that the rate of cookie-disabled browsers is from 3 to 5 per cent. So, > we have a risk that 5 per sent of users won't be able to use our > service if we enforce cookie usage. Then, what is the probability of > changing client's IP during the session. I don't think it would be > more then 30% (in the worst case). So, we can lower the risk by 2/3 > without a loss (since we enforced cookies on everybody before). Does > it matter? I think, yes, I'll have only third of those people who may > experience problems with my site. > > > > > > -- > Best regards, > Maxim Derkachev mailto:max...@bo... > IT manager, > Symbol-Plus Publishing Ltd. > phone: +7 (812) 324-53-53 > www.books.ru, www.symbol.ru > > |
