Security Basics mailing list archives

Re: Trusting localhost?

From: Birl <sbirl () temple edu>
Date: Fri, 25 Jul 2003 11:38:40 -0400 (EDT)

As it was written on Jul 25, thus Craig Minton spake unto the masses:

Craig:  Date: Fri, 25 Jul 2003 07:44:43 -0700 (PDT)
Craig:  From: Craig Minton <CraigSecurity () blazemail com>
Craig:  To: security-basics () securityfocus com
Craig:  Subject: Trusting localhost?
Craig:
Craig:  If you are creating an application that communicates using TCP, but only
Craig:   want to take requests from the localhost, are there reasons why you
Craig:  would not want to check that the incoming request is from localhost and
Craig:  then trust it?  This is in a Windows environment.  Would IP spoofing
Craig:  work if the application was checking for the IP address 127.0.0.1?  If
Craig:  so, how likely is it that IP spoofing would work today, in a corporate
Craig:  environment?
Craig:
Craig:  Thank you for any direction you can provide.


127.xxx.yyy.zzz will only go back to itself, never leaving the network
(let alone touch it).

To spoof it would be pointless.


Thanks

 Scott Birl                              http://concept.temple.edu/sysadmin/
 Senior Systems Administrator            Computer Services   Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Trusting localhost? Craig Minton (Jul 25)
- Re: Trusting localhost? Birl (Jul 28)
- Re: Trusting localhost? Jude Naidoo (Jul 28)
- <Possible follow-ups>
- Re: Trusting localhost? DownBload (Jul 28)
- Re: Trusting localhost? chris (Jul 28)
  - RE: Trusting localhost? David Gillett (Jul 28)