RE: Trusting localhost?

From: Lapinski, Michael (Research) (lapinski_at_crd.ge.com)
Date: 07/28/03

  • Next message: Justin Pryzby: "Re: Trusting localhost?" 
    To: "'Gerard Vignes'" <gerardmarshallvignes@hotmail.com>, secprog@securityfocus.com
Date: Mon, 28 Jul 2003 14:21:01 -0400

    Hi,
     I wouldnt use machinename as a reference to lochost
    as a lookup by machine name returns the routable IP
    address of the machine and involves talking to a
    DNS server.

    -mtl

    --------------------------------------------------
    Michael Lapinski
    Computer Scientist
    GE Research

    "I think there is a world market for maybe five computers."
                - IBM Chairman Thomas Watson, 1943

    ->-----Original Message-----
    ->From: Gerard Vignes [mailto:gerardmarshallvignes@hotmail.com]
    ->Sent: Monday, July 28, 2003 2:16 PM
    ->To: secprog@securityfocus.com
    ->Subject: Re: Trusting localhost?
    ->
    ->
    ->Just remember that there are at least 3 ways to reference a
    ->local host:
    -> 127.0.0.1
    -> localhost
    -> machinename
    ->These methods have different security implications.
    ->
    ->>From: Craig Minton <CraigSecurity@blazemail.com>
    ->>Reply-To: CraigSecurity@blazemail.com
    ->>To: secprog@securityfocus.com
    ->>Subject: Trusting localhost?
    ->>Date: Wed, 23 Jul 2003 14:16:13 -0700 (PDT)
    ->>
    ->>If you are creating an application that communicates using
    ->TCP, but only
    ->>want to take requests from the localhost, are there reasons
    ->why you would
    ->>not want to check that the incoming request is from
    ->localhost and then
    ->>trust it? This is in a Windows environment. Would IP
    ->spoofing work if the
    ->>application was checking for the IP address 127.0.0.1? If
    ->so, how likely
    ->>is it that IP spoofing would work today, in a corporate environment?
    ->>
    ->>Thank you for any direction you can provide.
    ->>
    ->>_____________________________________________________________
    ->>Fight the power! BlazeMail.com
    ->
    ->_________________________________________________________________
    ->Tired of spam? Get advanced junk mail protection with MSN 8.
    ->http://join.msn.com/?page=features/junkmail
    ->

  • Next message: Justin Pryzby: "Re: Trusting localhost?"