unique_id function

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
User avatar
Techie-Micheal
Registered User
Posts: 566
Joined: Sun Oct 14, 2001 12:11 am

Re: unique_id function

Post by Techie-Micheal »

Nicholas the Italian wrote:
Techie-Micheal wrote:As for spoofing your IP address, you are correct, TCP requires a 3-way handshake, thus making it impossible to simply spoof your IP address and get results.
Well, you could spoof a TCP packet and make it look like a UDP packet. :P (Webservers listen for UDP packets on :80, don't they?)
Still, whatever result you might be able to obtain, it'll never get back to you (unless... see above).
And for REMOTE_ADDR, that's lower down the OSI model, rather than layer 7, so you can't really spoof that either.
Yes, IP protocol is level 3 (network), so I suppose it's handled by the OS. But again I suppose you can crack OS's and rewrite IP-handling routines... ;)
Uh ... no. Webservers don't listen on UDP. That kinda makes them pointless. HTTP runs on top of TCP, and webservers use HTTP. Ergo, 3-way handshake. :)

You can't turn TCP packets in to UDP, datagrams are different, so you would have to generate datagram packets.
User avatar
Kellanved
Former Team Member
Posts: 407
Joined: Sun Jul 30, 2006 4:59 pm
Location: Berlin

Re: unique_id function

Post by Kellanved »

code reader wrote:
Kellanved wrote:It's still just the time that goes in the function. An attacker using the same seed will get the same result.
i don't know how an attacker can fake microtime(), but if we get that paranoid, how about adding some other values which change (though not strictly "random", still, in a difficult-to-duplicate way), such as disk_free_space() and memory_get_usage()?
going to the db just to obtain random seed seems both excessive and wrong (assuming, from the discusstion iteslf, that that is what you are doing. contrary to my nick, i didn't actually read the code... :( )
Random values are not random at all. It's just a pseudo-random number generator; same input means same output.
The time is rather trivial to obtain. It's just about getting the server time and measuring the latency. An attacker can test huge amounts of possible random values in just one post; time just is not nearly random enough.
disk_free_space() and memory_get_usage() could also be guessed quite well - they are not random and it's rather doubtful that they would be faster.

The database is not queried every time, but only for security-relevant random strings. Those are not required that often and it's better being safe than sorry.
No support via PM.
Trust me, I'm a doctor.
Post Reply