Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Tue, 14 Nov 2006 14:58:29 -0500
Will Yonker wrote:
I do recognize that somebody can enter a valid e-mail address that does not belong to them, but we are trying to address one issue at a time. At this point we are just trying to prevent people who give us "dude () dude com" from getting on to our network.I agree, you really should require a working email address that they have access to. I would say your best bet would be to use the same sort of verification that most email lists use. You could easily automate the whole thing. It could go something like this: The user turns on his PC and you assign him all the right DHCP info. He then opens his browser and is directed to your login page. He then has to enter his email address if he needs to create an account. Then you send him an email with the password.
<snippage> Unless you've already granted at least some level of the access you're trying to control, how would the potential user receive the email? :) Wasn't this scenario basically a municipal/public access point trying to at least in some way validate prospective users? Unless this is implemented as a subscription service where the user can "go home and get the password" when it's issued, it won't easily work. You can't send it to them via the web interface or any other webmail, or you've pretty much eviscerated the whole process. If you let them have limited access to certain resources so they can get their "challenge/response" email from an account outside your control you're not only dealing with the nightmare of managing that resource, but opening yourself up to an easy circumvention of all your hard work by people using disposable email accounts like Pookmail, Jetable, Spamgourmet, some "bot" machine in New Jersey, their Siberian hacker friend's private server on a roving DynDNS enabled box that's hooked up to some flaky cafe WiFi just for today, etc... -- Hand crafted on 14 November, 2006 at 14:53:23 EST using only the finest domestic and imported ASCII. Abandon the search for truth; settle for a good fantasy.
Attachment:
signature.asc
Description:
Current thread:
- Re: Verifying E-Mail Addresses Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses AragonX (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- <Possible follow-ups>
- Re: Verifying E-Mail Addresses Andrew Wheeler (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Hylton Conacher(ZR1HPC) (Nov 20)