Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.

Archive for October, 2012


How to Authenticate a User – Cookies

Nearly every web site faces this dilemma – how to authenticate and identify the users of it’s site. In real life it’s not difficult, you can give someone a photo id or pass, or even ask people to show their drivers license.

The point is that in the real world, you can provide proof of your identity by using a physical credential. So you can borrow a DVD from Blockbusters or get a discount in a hotel by simply showing a specific card that you possess.

The Digital Identification Dilemma

Unfortunately it’s not quite the same in the digital world, it’s impractical (although not impossible) to supply physical credentials to prove your identity. But it does work on basically the same premise – the web site request your credentials and you need to supply them to continue.

An online authentication system like a web site – needs to be supplied with one of the following:

  • Something you possess
  • Something you know
  • Something you are
  • Any or all of the above

All these are called ‘authentication factors’ and the more that is supplied – then supposedly the more secure the system is meant to be. For instance if you hear a phrase like ‘Two Factor Authentication’ it simply means that you need two of the above to verify your identity. For example an ATM machine is a good example as you need a card (something you possess) and a PIN access code (something you know) in order to draw out some cash from your account.

In the digital world there are many simple but slightly unreliable ones, for instance verifying your location by IP address is simple to code, but unfortunately unreliable as they c an change freqeuntly. There is one main way of authenticating a user online and that is the ‘cookie’. It’s a term that most of us will be aware of but perhaps not entirely sure what they are.

The cookie is defined as a ‘handle, transaction id, or other token of agreement between operating systems’. The cookie is like the ticket you get when you leave your suit at the dry cleaners. It’s good for only one thing, to get your suit back. The cookie is exactly the same in digital format – a record of a specific transaction or visit. The only difference apart from the lack of a physical token is that the cookie will be updated each time you come back and visit the same site.

This is basically what happens when you visit a web site:

  1. Web site asks browser to store some information.
  2. Web site supplies the information.
  3. Browser stores the information in a file locally (the cookie).
  4. Cookie doesn’t contain any private information.
  5. Cookie is presented on subsequent visits.

It’s not that complicated and it’s not intended to be. The real aim is to identify subsequent visits by the same individual – with the aim of storing passwords, preferences and choices made by that person. All the major browsers have the facility to block or restrict cookies of course if you are concerned about the privacy issues.


How Is the Internet Filtered – Why Can’t I Visit that Site?

There are many nations who are rather keen on filtering the internet.  Of course the examples they usually use are of sites run by pedophiles and criminals, which of course nobody objects to.  However it rarely stops there, and once some sort of filtering system is adopted in a country you’ll find that list of sites that are blocked gets longer and more varied.   Pretty soon there will be all sorts of extensive censorship being practiced – your Government will decide what you can and can’t do online.

But there’s another issue – the technical side is far from clear cut.  There is no definitive best method for filtering on this scale.  Here’s a couple of the methods some countries have implemented.   Both of the techniques depend on the development of a blacklist (sites that needs to be blocked).  So consider – somewhere there’s a little group of people who hold meetings deciding on what should be included in this list.  Imagine if these people had strong religious or political beliefs – their decisions could be quite different from your own.

Unrelated to Post But Funny !

But to utilise this black list you have to find a way of stopping people visiting the sites on the list.

One of the most basic methods is  DNS poisoning,  an extremely simple method of  modifying the domain name tables belonging to the ISP’s.

Using this method you can redirect requests for specific blocked pages to someplace else.  So when a user asks for one of these pages his browser is actually misdirected to another server – either with a warning page or simply completely blank.

Surprisingly many of the Scandinavian countries like Norway and Sweden have used this method in the past, although it is also been utilised in Holland and Germany too.  It’s an awful way of filtering as it messes around with the core functionality of the internet – DNS.  But it’s biggest problem is it’s extremely easy to bypass, point your machine at any non-poisoned DNS server and you will get the right address and be able to access the website.  The other obvious issue is that you have to block an entire website as the IP address is not related to a single page.  Not easy with many social sites and collaborative platforms like Blogger and WordPress.  For example is you want to block a single offensive YouTube video you’d end up blocking most of the site if you use this method.

There are more sophisticated methods of filtering the internet though, companies like BT and Optenet specialize in providing such services such as Netclean.  All the solutions work in slightly different ways but fundamentally they all have some sort of method of comparing the requested URL with a list of ‘naughty urls’.

The list is obviously one problem as mentioned above – especially in the eyes of those of us who argue against censorship of the internet.  But the technologies can also cause issues as well – a current report from Watchdog International highlighted a few technical difficulties that can happen with one of these technologies.

Here is a few of the instances.

ACMA Test of Blocking YouTube
When the Australian Government  trialed the BGP filtering system Netclean White Box, they included a few URLs from Youtube to be blocked. The problem was that because a URL from this site was added, all requests for this domain name (Youtube) then got handled directly through the filter. Normally this wouldn’t be an issue with some low traffic criminal website but because YouTube is so popular the box had to deal with millions of requests – which in the end made the Whitebox fall over.

Wikipedia image was contained byIWF List

The Web Watch Foundation manages a very extensive black list of sites over the web. The list can be used by anybody as a master list of which web sites to block.  In this event the IWF added the URL of a Picture saved on Wikipedia.  Unfortunately this caused a problem with the BT Cleanfeed system being used, when the system filters the web request it acts like a proxy server replacing it’s own IP address with the request.  In one of the tests this meant that Wikipedia got hundreds of thousands of request from a single IP address range (the BT Cleanfeed system) which ended up with it being banned and Wikipedia becoming inaccessible for everyone.

The Web Watch Foundation removed the URL pretty rapidly and realised their error but at least the potential problems were highlighted by it when you start any main-stream censorship and Internet Filtering. There is also the very real issue that such censorship can normally be bypassed very easily by simply using a proxy server if needed.