Comments on: IP address authentication considered harmful http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/ Semantico looks at online publishing Thu, 11 Mar 2010 14:52:22 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Richard Padley http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/comment-page-1/#comment-24626 Richard Padley Mon, 22 Jun 2009 11:09:40 +0000 http://blogs.semantico.com/discovery-blog/?p=273#comment-24626 Hi Nicole, There are a number of use cases for authenticated RSS from publishers. One common one for us is to deliver search results as an RSS feed - this allows users to store canned searches in their feed readers and check back regularly to see when new content is added to the system matching their search criteria. For a paid-to-access abstracts service, like CAB Direct for example, the search results must be protected, and so therefore any RSS derived from it must be also. The fact the RSS can be used for delivering rich services such as search as well as content syndication means that robust authentication is a key requirement for many publishers. Hi Nicole,

There are a number of use cases for authenticated RSS from publishers. One common one for us is to deliver search results as an RSS feed – this allows users to store canned searches in their feed readers and check back regularly to see when new content is added to the system matching their search criteria.

For a paid-to-access abstracts service, like CAB Direct for example, the search results must be protected, and so therefore any RSS derived from it must be also.

The fact the RSS can be used for delivering rich services such as search as well as content syndication means that robust authentication is a key requirement for many publishers.

]]> By: Nicole Harris http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/comment-page-1/#comment-24424 Nicole Harris Tue, 16 Jun 2009 17:38:17 +0000 http://blogs.semantico.com/discovery-blog/?p=273#comment-24424 Interested as to why you would want authenticated access to an RSS feed? Surely such feeds should be openly accessible, with authentication only being required at the last possible moment to access full content. I can see the argument for authenticated RSS feeds from, say, banks and credit card companies, but not sure of a publishing use case? Interested as to why you would want authenticated access to an RSS feed? Surely such feeds should be openly accessible, with authentication only being required at the last possible moment to access full content. I can see the argument for authenticated RSS feeds from, say, banks and credit card companies, but not sure of a publishing use case?

]]> By: Richard Padley http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/comment-page-1/#comment-24263 Richard Padley Thu, 11 Jun 2009 09:01:10 +0000 http://blogs.semantico.com/discovery-blog/?p=273#comment-24263 Hi Dom, Very good point re: the <code>X-Forwarded-For</code> header. Since there are no standards for this header, we've seen no end of cruft end up in there from ill behaved proxy servers. Hi Dom,

Very good point re: the X-Forwarded-For header. Since there are no standards for this header, we’ve seen no end of cruft end up in there from ill behaved proxy servers.

]]> By: Eric Hellman http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/comment-page-1/#comment-24256 Eric Hellman Wed, 10 Jun 2009 20:48:52 +0000 http://blogs.semantico.com/discovery-blog/?p=273#comment-24256 Yes, harmful. Nonetheless, the reality is that IP address authentication, patched up with rewriting proxy-servers, is less harmful than any of the alternatives. Yes, harmful. Nonetheless, the reality is that IP address authentication, patched up with rewriting proxy-servers, is less harmful than any of the alternatives.

]]> By: Dominic Mitchell http://blogs.semantico.com/discovery-blog/2009/06/ip-address-authentication-considered-harmful/comment-page-1/#comment-24249 Dominic Mitchell Wed, 10 Jun 2009 10:20:26 +0000 http://blogs.semantico.com/discovery-blog/?p=273#comment-24249 Don't forget the awful workarounds that get put in to place because of the desire for IP Authentication: The <code>X-Forwarded-For</code> header. If you can't distinguish based on the IP address of the institutional proxy, there's a desire to use the IP address <em>behind</em> the proxy. But this method is wide-open to abuse. There's no way to stop anyone supply their own <code>X-Forwarded-For</code> header with your IP address. Don’t forget the awful workarounds that get put in to place because of the desire for IP Authentication: The X-Forwarded-For header.

If you can’t distinguish based on the IP address of the institutional proxy, there’s a desire to use the IP address behind the proxy. But this method is wide-open to abuse. There’s no way to stop anyone supply their own X-Forwarded-For header with your IP address.

]]>