I have a web application which passes an authentication key to web services for security. to avoid Man In The Middle attacks, the IP address of every request is checked against the IP address from the initial authentication request. However, when accessed from a machine that uses a proxy server, the IP address is not necessarily the same. What can i do to avoid this problem?
+2
A:
IP addresses are easily spoofed so this is not a terribly useful guard.
When attempting to implement a protocol level security always use someone else's well tested and reasoned about design (and preferably implementation) over your own unless the reasons to not do so are compelling.
http://en.wikipedia.org/wiki/WS-Security exists and simply making the whole chain use https should be sufficient for your needs (so long as the overhead of the security is not a problem).
ShuggyCoUk
2009-02-13 18:15:10
+1
A:
I guess the simplest approach would be to use SSL.
If you cannot use SSL you could use XMLSigniture which would at least allow you to detect if a message has been altered. Here is a good article about using this in Java:
http://java.sun.com/developer/technicalArticles/xml/dig_signature_api/
Myrtleoturtle
2009-02-13 18:19:56