[WEB4LIB] Re: Impact of statewide database deals?

James Cayz cayz at lib.de.us
Tue Apr 24 19:28:32 EDT 2001 

On Sun, 22 Apr 2001, Thomas Dowling wrote:
>> I've been wondering how states doing this are providing remote
>> access?  And what about the issue of authentication?
>OhioLINK recently started hosting its first service open to both OhioLINK's
>(academic) members and Ohio public library users.  My perception is that the
>answer to the first question is, "Poorly."  And to the second question:
>"Well enough to satisfy some not very demanding or ill-informed vendors."
>In other words, referer authentication.  OPLIN, the state public library
>consortium, provides a login function that does a one-time lookup against a
>user database and on success take users to a page with a link to Database X.
>X's service provider then allows access to anyone whose user agent sends
>that URL as its REFERER header.
>
>In other other words, access is available to anyone who A) knows the correct
>Referer, B) knows the URL to send it to, C) has a telnet client, and D)
>wants access badly enough to learn one grade D hacking trick.
>
>Thomas Dowling
>Ohio Library and Information Network
>tdowling at ohiolink.edu

Thomas,

Being the technical person that has set up a state-wide library-card
authentication system based upon referer URLS, I'll agree that 90% of the
vendors are using referer method.  Maybe even 95%.

However, I have at least one vendor who uses a back-channel method to
confirm that the referer just received by the vendor did indeed originate
at our host.  Additionally, this backchannel method is encrypted by a key
system updated monthly, so even if someone 1) steals the referer URL and
2) steals the Perl script on the back channel and 3) reverse-engineers the
code to switch the answer-back IP address (which is encoded in the
script...), it only works for a month, until the new key comes out.

Its a lot of effort to get right, but we're sure and the vendor is sure,
that only the registered patrons get in.

But, that's only one of our 4 databases.  Today....

James

+--------------------------------------------------------------------------+
| James Cayz          Telecommunications / Network Technologist I          |
| Email:cayz at lib.de.us     Voice:302-739-4748 x130      Fax:302-739-6787   |
| Delaware Division of Libraries # 43 S. DuPont Hwy / Dover, DE 19901-7430 |
+--------------------------------------------------------------------------+

More information about the Web4lib mailing list