[nycphp-talk] Question about obtaining MAC address
Hans Zaunere
lists at zaunere.com
Fri Sep 23 05:42:02 EDT 2005
Hi Anthony,
Anthony Papillion wrote on Friday, September 23, 2005 1:57 AM:
> Does anyone know of a reliable way to obtain a site visitors MAC
> address? I ask because I am creating an application that needs to be
> very secure and I was thinking about using each users MAC address as
> the authentication key in addition to a login/password.
Sorry to say, but that's the wrong strategy for secure authentication.
There are a number of reasons, with the top-two being:
-- MAC addresses can be spoofed
-- you can't capture a MAC address of someone across the Internet.
MAC/hardware addresses don't go past a router (level 2 of the network stack,
I believe) and thus are only visible on a local LAN. And, if a switch is in
place, as is generally the case these days, you'd only see ARP requests for
the MAC anyway.
The best way to handle security is generally a well constructed
username/password strategy. If, however, you have close contact with each
user, SSL client/server certs may be a practical secure solution.
---
Hans Zaunere / President / New York PHP
www.nyphp.org / www.nyphp.com
More information about the talk
mailing list