shibboleth-dev - RE: Shibboleth and ipv6

Subject: Shibboleth Developers

List archive

RE: Shibboleth and ipv6

From: "Scott Cantor" <>
To: <>
Subject: RE: Shibboleth and ipv6
Date: Wed, 19 Oct 2005 16:54:21 -0400
Organization: The Ohio State University

> No, the threat I worry about is cookie theft, which is much easier.
Browsers
> don't do a good job of protecting against that, bugs there crop up
> constantly. An IP check is an order of magnitude harder to beat than
> exploiting the bug of the week in IE is.

I should point out that this is more of a consequence of implementation than
anything else. I could have (and maybe I should) split the settings up so
that you could disable the IdP vs SP address check during initial sign on
but still lock the session cookie down to one address.

I equated them because in my experience it's not an IdP vs SP problem but
more of a problem with a user behind a proxy that's changing the address all
the time, so when we've had to disable it, it's been for both purposes.

Sounds like your scenario of local campus NAT might justify splitting them
up for the next version.

-- Scott

Shibboleth and ipv6, Lukas Haemmerle, 10/14/2005
- RE: Shibboleth and ipv6, Scott Cantor, 10/14/2005
  - Re: Shibboleth and ipv6, Lukas Haemmerle, 10/18/2005
    - Re: Shibboleth and ipv6, Spencer W. Thomas, 10/18/2005
      - Re: Shibboleth and ipv6, Lukas Haemmerle, 10/18/2005
    - RE: Shibboleth and ipv6, Scott Cantor, 10/18/2005
      - RE: Shibboleth and ipv6, RL 'Bob' Morgan, 10/19/2005
        
        RE: Shibboleth and ipv6, Scott Cantor, 10/19/2005
        
        RE: Shibboleth and ipv6, Scott Cantor, 10/19/2005
        
        RE: Shibboleth and ipv6, RL 'Bob' Morgan, 10/19/2005
        
        Re: Shibboleth and ipv6, Ian Young, 10/20/2005
        
        Re: Shibboleth and ipv6, RL 'Bob' Morgan, 10/20/2005

List archive

RE: Shibboleth and ipv6