[MUD-Dev] Re: Quick question re: SSL

Sean Middleditch elanthis at awesomeplay.com
Sat Feb 28 02:43:09 New Zealand Daylight Time 2004

On Feb 17, 2004, at 3:28 AM, sziisoft wrote:
> From: "ceo" <ceo at grexengine.com>

>> PS caches seem to fairly consistently use the extended
>> (i.e. non-standard) HTTP headers to indicate the IP address they
>> are routing on behalf of; I haven't checked *every* ISP of every
>> player, but I may be able to use these extended headers to infer
>> the same IP address for a client, no matter which proxy/cache
>> they come via.

> Hardware address.  Guaranteed unique per card unless someone
> overrides it(which is very rare.)  You can set it up in the SSL as

that's a myth.  mac addresses are definitely reproduced; i've seen a
number of cards in large deployments with this situation.  vendors
don't have a big list of every mac id they've used before to avoid
duplication, they random seed runs of cards.  mac address is only
guaranteed to be unique on a local link (and that's because if
they're not, they won't work, so you have to swap cards or manually
change the mac addr).

> the auth, then possibly allow that hwaddress(MAC address) in
> conjunction with the rest of the security mechanism.  SSL keeps it
> from being sniffed, but you run into the possibility of
> memory-watchers/decompilation/etc on the client seeing that you're
> using the hw address for handshake/auth.  ARP table lookups might
> be another implementation.

> Security through obsfucation, to a point.

Which works for about 3 seconds...
MUD-Dev mailing list
MUD-Dev at kanga.nu

More information about the MUD-Dev mailing list