RE: Identifying GUID

I'm looking for a way to identify the GUID/Network card ID  number of a persons computer visiting my site using CGI .. unless anyone has a easier idea...

Thanks
Jon
LVL 1
MAVERICKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BigRatCommented:
The nearest thing which you can get is the HostAddress (available as an environment variable) of the client. This may or may not be interesting (intranet yes, internet - not necessarily). Even on an intranet if DHCP is on the addresses are "random".
If you want the info for logon purposes you'd be better off going for Basic Authentication (see RFCs for details) or a Cookie based solution.
0
MAVERICKAuthor Commented:
I know I can authenticate using .htaccess and cookies ...  If you can get the GUID from a computer ...its a almost foolproof way of authentication....

Thanks
0
BigRatCommented:
I agree. The network card number (hardware number burned in on the card) is globally unique (or at least baring fakes it is) and is placed in the TCP/IP packet on sending. But you don't see this at the socket layer, and more importantly, proxy servers don't transmit it forward, since they send their own address. The routing mechanism of TCP/IP relies on the "virtual" address and not the physical.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

MAVERICKAuthor Commented:
When they identified GUIDs on the web did they do it from word documents ???  could it be done from a java applet running on the browser?
If you would like Full details pls email ...
Regards
Maverick
tomcat 203@geocities.com
0
monasCommented:
Maverick,

      NIC address goes only to the closest router.

      I suppose that java applet should not be allowed to access NIC address. Maybe MS solution would make it possible... but due to fact that this information will go from user computer, dedicated user will be able to fool your authentication because they can send anything.

      Just my ideas...
0
BigRatCommented:
A Java applet cannot access the NIC address without going through the Native Interface with your own personal dll.
   A COM object, which you could down load, could get the NIC address (or anything else you wanted). I personally would be very upset if anybody wanted to load a COM object on my machine.
   The last comment from monas applies. Anything you stick on the users machine (COM or Java) can be mis-used to fool your authentication, unless it is encrypted. This is why a cookie system based on the Kerberos authentication system is the best to date, and will appear as standard in Windows2000.
   Furthermore I don't quite understand your last posting. Are you attempting to answer your own question? Or perhaps I'm a bit thick today. I have a slight cold.
0
monasCommented:
BigRat,

      Even if it is encrypted - dedicated user can fool - encryption is performed at client mashine - therefore on client all the keys can be made available.
0
MAVERICKAuthor Commented:
COM object... thats like activeX control on webpage, isn't it..
0
BigRatCommented:
An ActiveX control is a COM object which supports certain interfaces, it should allow events (Event sink) and dymanic dispatch (so that it can be called from VBA). COM is just the binary standard for Microsoft's reusable objects. Microsoft has gone from OLE, through COM to ActiveX and now onwards to COM+ for basically the same technology at various levels of enhancement.

   Encryption: A MyCom object would perform an encryption with keys known to MyServer object. If any other object tries to impersonate MyCom object he must be able to encrypt the way I do. (Its very similar in concept to CHAP on WinNT).
0
MAVERICKAuthor Commented:
are there any hosting problems with client side ActiveX encryption?? like can it be done on a unix box...

how easy would it be to write one? I'm familiar with VB5 but not writing activeXs

..
0
BigRatCommented:
Hosting problems: check out www.sagus.com for the lastest on porting COM to Unix. In fact you need a COM object on the browsers page, which would force you to use Microsofts IE since no other browsers support it (Netscape not!). The COM object would need to make a TCP/IP connection to the server (http?) which could be Unix or IIS. The COM object could do the encryption and send an encrypted message. This could be the user name and password. You'd still have to keep a cookie running as session ID, although this could be the encrypted message.

Visual Basic 5 (or 6.0) has a Wizard for making ActiveX controls. It even wraps it up into a .ocx file for you. Check that out.
0
MAVERICKAuthor Commented:
k I'll check it out...
0
BigRatCommented:
I must admit Idon't like this sort of solution. I personally use a cookie based system where I hold a global table of users and access rights, which I use when a user requests a page, and I "index" the table with a key generated via a random number generator and given to the user after login in a cookie. When my server goes down all cookies automatically become invalid and there is almost no way that a user can guess a key.
   I'm looking forward to Windows 2000 and Kerberos authentication, where the cookie could hold a delegation for the user which I can use to access Windows services (ie: I can pass his access rights forward). At the moment my Login is as open as Basic Authentication and although WindowsNT supports CHAPS (where the password does not go naked over the net) I can't take part in it. I suppose I ought to write a COM object which supports CHAPS against Apache.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MAVERICKAuthor Commented:
so you think I'm better off just using cookies...
0
BigRatCommented:
Yes, it you want to build something yourself. You have currently two choices - Basic Authentication where you look at environment variables for user and password, rejecting request if missing, or a session ID cookie based system, where you send back a cookie which identifies a server side table entry for the user. (Actually three since you can easily combine both of these) (Like EE I think).
0
MAVERICKAuthor Commented:
Thats a good idea.... except that it doesn't really answer the orginal question....   I'm thinking of accepting the answer... then if I need help down the track... I'll post a new question??

0
BigRatCommented:
Certainly you can post a new question. But first what Web Server are you using?
0
MAVERICKAuthor Commented:
I think my host uses a mixture of NT/IIS and Linux/Apache, Not sure which my site is on though :)

Thanks


0
BigRatCommented:
Then this might make it a bit difficult fiddling around with cgi scripts? What is your application?
0
MAVERICKAuthor Commented:
basically.... I need a fool-proof way of authenticating users.... I'm going to be distributing satelite photo's and I want to stop password theft.....

I'm thinking of using a traceroute system to trace back to the user and determine which ISP they're using...

Do you know how to use CGI to get the info from the Http header like the client's  address ....
For instance....

in a proper check they can get my computers IP address of 192.168.10.1 .... but most only get to the ISPs proxy server....


Any ideas?
0
BigRatCommented:
If your users come directly into the net (like when they have their own site) then you can get their IP. A lot however use PPP connections over ISDN to their provider, like me, and all you get is the proxy - which may be enough.
   REMOTE_ADDR is the environment variable which contains the client IP address.
   You say you are worried about password theft. Web snooping or careless use?
0
MAVERICKAuthor Commented:
The satelite photo's we get our hands on are not cheap to obtain....  we want to stop both web snooping and deliberate password sharing/theft

http://www.tamos.com/bin/envir.cgi
http://www.tamos.com/bin/proxy.cgi

check out those URLs
most  sites I go to give the completely wrong IP...  see how accurate the results from those URLs are ... and if you know a way to code it using CGI... that would be prefect...

Thanks

0
BigRatCommented:

Proxy server detected

You came from 62.158.234.124
You came via HTTP/1.0 speth33.ddo01.t-online.de (IBM-WTE)
Remote address 212.185.253.129
Remote host 212.185.253.129

Yes, and I'll look tomorrow what address I get a second time!

If I wanted to send valuable information over the net to well paying clients I'd go for a Kerberos login mechanism, a plug-in for displaying/saving locally, and encrypted messages (at least via SSL)
0
MAVERICKAuthor Commented:
can you provide more details...  how does kerberos work.. and can it work on both NT and Unix...
0
BigRatCommented:
If you go to microsoft.com and search on Kerberos you'll get an overview of what they are providing under W2K.
   If you go to www.ietf.org you'll find it under rfc1510. As you will see it comes from MIT and there are many implementations around.
   Its actually a server where login requests are turned into encrypted tickets which can be stored on client machines (as cookies) and sent on when accessing resources. Only the server can encrypt so you ask it (is resides on the same machine as your "cgi") if the client has access to this or that. The tickets have an expiry date/time so they are issued at session start and made invalid at session end.
   This may be too much of an overkill when what you probably want is SSL plus a ticket based login mechanism. WinNT + IE 4.0/5.0 supports a sort of CHAPs over the internet. The client has an account on the NT server and the authentication mechanism is done via encryption - so the password does not go naked over the net. This is of course NT specific and I have not investigated it in depth (ie: tried it out).
   I'm currently implementing a ticket based system where the account number/password goes over the net once on login. I'm currently testing on normal HTTP but hope to switch to SSL soon (I'm passing personal information and "money" around so I don't need to the completely secure). My solution must run on Windows, SCO Open Server and Linux, so a CHAPs system is out. I'd like to have a Kerberos system, but that requires W2K which is not "out" yet.
0
BigRatCommented:
Proxy Server detected

You came from 62.158.233.86
You came via HTTP/1.0 speth47.ddo01.t-online.de (IBM-WTE)
Remote address 212.185.253.140
Remote host 212.185.253.140

Different proxy this time! (or are they using DHCP?)
0
monasCommented:
May I put some info about other posibilities?

In system I developed I used SSL + client_certificates. Client certificates are cryptographycal keys what are very difficult to intruder to make. Information about who entered this way protected pages are in environment variables (as this is allways is in CGI) - SSL_CLIENT_S_DN and either your s/w or server could judge who to be allowed and who not to your information.

In my case I used Linux/Apache+mod_ssl on server and forced all my clients to use Netscape ('cos in IE work with client certificates is done in "wrong way" - but I know of people who managed to make systems what work with both browsers).

Last point about preventing your users from sharing passwords... Even if you use client_certs your users could share certs. And IMHO best way is to write in your scripts to dissallow for getting the same info more than X times in Y hours.

Just my thoughts...
0
BigRatCommented:
mod_ssl should also work with Apache on NT.
   I have heard about Browser problems regarding client certs. What people do you know who have made it work on both systems (particularly IE5)? This interests me since Kerberos will probably not work on NT 4.0 (although it does have advantages in delegation) and might be an alternative for me as well!
0
monasCommented:
I was tald Netscape Certificate Management System works with all browsers.

If you want to speak with person who used this - try to talk to dammit on irc://irc.omnitel.net
0
BigRatCommented:
Thanks monas, I'll check that out.
0
MAVERICKAuthor Commented:
OK .... only one problem... I want it to work on without too much server reconfiguration as it may be used by friends who have very limited admin access. SSI's yes, but a kurbos server may be a problem.

One idea I've thought of is using the IP address' as part of the encryption key. And a CGI authenticates it.

BTW see
http://www.experts-exchange.com/secure/bin/Q.10292853

Thanks

0
BigRatCommented:
I have been following that thread without comment since it seems to reproduce the arguments already discussed here.

It seems to me from your last comments that you are not the hoster of the site, but you are going to have a virtual site on another host. Is that the case? And is that the reason why SSL with certificates is causing you some heartache?
0
MAVERICKAuthor Commented:
I have access to my host for SSL but the system may be used by a friend who is on a virtual host and it.
0
BigRatCommented:
That's no problem, one can run Apache normally and Apache with SSL on the same machine no problem.
0
MAVERICKAuthor Commented:
Bigrat.... thanks for the tips

 I checked with my friend and we'll move to a new server in 6 months with SSL support etc.
I'm going to use a environment variables + cookies til then


Monas... thanks for the tips...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.