[Owasp-appsensor-project] how to detect if a detection point is created and sone other questions

santosh kumar pydi.santu at gmail.com
Mon Mar 11 16:24:47 UTC 2013


Yes Dennis..I understood...Instead of relying on IP address data, Its
better to tackle with browser finger printing mechanism. Even though it may
not provide 100% reliability on malicious user info, but it significantly
improves your requirement criteria.






On Mon, Mar 11, 2013 at 9:25 PM, Dennis Groves <dennis.groves at gmail.com>wrote:

> On 11 Mar 2013, at 15:37, santosh kumar wrote:
>
>  IP address information is not at all sufficient for user identification.
>>
>
> This is the key requirement - **sufficient identification**
>
>
>  Of course, an user may user different systems for accessing an
>> application.
>>
>
> Of course!
>
>
>  Instead a two level security check can incorporated to give the access
>> which can avoid unauthenticated entry into the application.
>>
>
> We are not doing authentication nor access control. What we are doing does
> not require positive identification. All that is required is just enough
> information for creating AppSensor 'detection points'
>
> For example - if you have the 33 bits of information about all
> authenticated users; and you hashed that information and compared it to a
> hash of of the 33 bits of information about anybody who is attempting to
> log into the site - you now have enough information to know statistically
> if you have a new user, or a returning user with a high degree of certainty.
>
> Of course nothing is perfect; I myself travel the world and google always
> fails to get my language settings correct despite my having literally set
> them in my profile.
>
> Nevertheless, I have no doubt that my 21.4 bits of entropy give you far
> more information about me as a person than any IP address ever would -
> despite my changing localities all the time. And that information is more
> than enough to make decisions about me with the OWASP AppSensor.
>
> E.g. If my 21.4 bits of entropy attempt to hack you with say a SQLi - you
> can likely ban my 21.4 bits of entropy at the application for 4 hours with
> a great deal more success and less side effects than my IP address (current
> 'best practice') and the entire point of the OWASP AppSensor concept.
>
> Does this make sense to you Santosh?
>
> Dennis
>
> --
> [Dennis Groves](http://about.me/**dennis.groves<http://about.me/dennis.groves>),
> MSc
> [Email me](mailto:dennis.groves@**owasp.org <dennis.groves at owasp.org>) or
> [schedule a meeting](http://goo.gl/8sPIy).
>
> *This email is licensed under a [CC BY-ND 3.0](http://creativecommons.**
> org/licenses/by-nd/3.0/deed.**en_GB<http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB>)
> license.*
>
> **Please do not send me Microsoft Office/Apple iWork documents.**
> Send [OpenDocument](http://fsf.org/**campaigns/opendocument/<http://fsf.org/campaigns/opendocument/>)
> instead!
> Stand up for your freedom to install [free software](http://www.fsf.org/**
> campaigns/secure-boot/**statement<http://www.fsf.org/campaigns/secure-boot/statement>
> ).
>
>
>  The idea that some lives matter less is the root of all that’s wrong with
>> the world. -- Paul Farmer
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20130311/bbdadfc7/attachment.html>


More information about the Owasp-appsensor-project mailing list