Is there a way to get a unique serial number for machines such as Mac,Windows and devices such as iPhone,Blackberry using php/javascript?
It really requires at least one reference datum - javascript can't read things like IP addresses or MAC addresses - so that's ruled out. There are implementations of uuid for PHP - but to create a valid one, you need a real IP address assigned.
And if have code deployed serverside, its straightforward to implement a counter based system.
What is a machine?
Machines are made from parts, so determining wether a machine is still the same can be a philosophical question in its own right.
For example a computer's hard drive probably has a unique serial number, if the machine has a network card, it has a unique MAC-Address, and it might even be considered a "different machine" when running a different operating systems (Windows, Mac, etc). All those unique IDs can be mungled together to create a unique machine-ID, and this is exactly what some software vendors such as Mathematica do to make sure you don't run the software on a machine or an operating system, you have not licensed it for.
Using Interface Identifiers
With IPv6 finally becoming widely available, the Interface identifier of the protocol can serve as an identifier of your machine (or at least its network card), since it contains the MAC-address of the network card. IPv6 provides privacy extensions to prevent this kind of identification, since in the age of personal computers and mobile devices machine identification equals user identification, which is a huge privacy issue.
Currently, Apple and Android mobile devices, don't provide privacy extension, and they are deactivated on Mac and Linux by default. Only Windows 7 seems to have them enabled by default.
Accessing the IP address in PHP and javascript
In PHP it's pretty simple to access the IP address via $_SERVER['REMOTE_ADDR']
In javascript you could issue a JSONP request to a server that returns the user's IP address.
See: Can I perform a DNS lookup (hostname to IP address) using client-side Javascript?
Accessing the MAC address in Javascript
Even if the machine only has IPv4 - there is a proof of concept hack (http://samy.pl/mapxss/) that retrieves the MAC address from some routers via javascript XSS. The MAC address of your router is then sent to the google geolocation service to identify the machine's exact location. (Of course this only is a weak identifier for mobile devices)
Combining Identifiers
Webbrowsers will provide you with a useragent string, that can make your identifier even "more unique", and then there are cookies, geolocation services etc.
While none of these techniques provide a way to create a 100% unique identifier, several of those techniques combined can provide a very high accuracy of identificiation. Even if parts of a machine are changed, you might be able to re-identify it, when applying an array of identification techniques. Also note that when using browser identification etc, you may face the problem of over-identification, especially if a machine is using more than one browser to access your service.
Asking the user
Due to potential privacy issues, you should consider using an opt-in approach for creating the unique id. Also since it's the users who are in touch with their machines, they are the only ones who can uniquely identify their machine with a 100% certanity. So the best thing is to provide an incentive to the user to trust you with identifying their machines. A simple scenario, would be to provide the user with a login (so you have user identification) and then ask the user to help you with machine identification. Of course this only works if you trust your user, but if you don't, they should probably not trust you either.
No, there is no way to do that.
This is a good thing, since it makes it harder to track people via websites.
Privacy is precious ;)
Martin hurries off to delete all his cookies and put on his tinfoil hat
What is a machine?
Machines are made from parts, so determining wether a machine is still the same can be a philosophical question in its own right.
For example a computer's hard drive probably has a unique serial number, if the machine has a network card, it has a unique MAC-Address, and it might even be considered a "different machine" when running a different operating systems (Windows, Mac, etc). All those unique IDs can be mungled together to create a unique machine-ID, and this is exactly what some software vendors such as Mathematica do to make sure you don't run the software on a machine or an operating system, you have not licensed it for.
Using Interface Identifiers
With IPv6 finally becoming widely available, the Interface identifier of the protocol can serve as an identifier of your machine (or at least its network card), since it contains the MAC-address of the network card. IPv6 provides privacy extensions to prevent this kind of identification, since in the age of personal computers and mobile devices machine identification equals user identification, which is a huge privacy issue. Currently, Apple and Android mobile devices, don't provide privacy extension, and they are deactivated on Mac and Linux by default. Only Windows 7 seems to have them enabled by default.
Related
My office network provides internet access to my employees when they connect to it through the office's router. I want to make a web application in which only computers connected to the internet through my office router, can access. So that my employees have to be in my office area before they can login into the php web application.
If they are connected to the internet, but not through my office network they should not be able to log in to the application. (I know I could have deployed the php app in a local server setup in my office but I want the app to be on a remote server on the internet for my personal reason).
What hardware do i need to setup my office network and how do I make PHP detect the id of the hardware of my network so php can determine that a request is coming from my network.
Some options to recognise your private office from a public website:
IP address
This will only work if you know what IP address is in use at any given time by your allowed clients. In the case you use a NAT gateway, this has to be the outside address.
It becomes pretty easy to do this if you have static IP addresses for all your allowed clients, if they change, it quickly becomes a nightmare to keep them right at all times.
Security: since HTTP is based on TCP it's not trivial for other to get to use your IP address through spoofing, but it's by far not foolproof either. Consider it a poor-man solution at the very best.
Caveat: if any of your staff can get remotely to their machine, they can access it remote (so e.g. a time registration system is going to get circumvented by this quickly)
VPN
VPN stands for Virtual Private Network.
This is the goto solution from a security perspective. Essentially you build up tunnels between either individual clients or networks as a whole with the VPN server.
On the central end of those tunnel(s), your webserver answers to web requests (but not to the internet at large).
There is a whole range of VPN products out there. There are equally relatively easy to build solutions using free software (e.g. OpenVPN).
Things on how the client (network or computers) will authenticate to the server and what traffic is attracted to the VPN and much more are all possible parameters you can set.
Security: it depends a bit on the choices made, but unless unproven or outdated solutions are picked, this can be done "top notch". It is however in skill level probably just above your typical IT shop around the corner (but you might be in luck).
Same remark as above: your staff that can gain access to it, might be tunnelling into their machine at work or might use credentials and settings on an office machine at home as well.
DNS
reverse mapping of IP to names is far too easy to spoof, don't try this.
Login/Password
This is a relatively easy solution: allow access from anywhere, but give authorised users a login and password and let them have access after being logged in properly.
Security: It's non-trivial to get this fully secure, there's plenty of opportunity to make errors in how the application works so that it becomes a problem.
But if you have to have a zero footprint on the clients, this is your best option.
Add in 2 factor authentication to increase the password security and make passing on passwords a bit more difficult.
TL;DR
I'd setup an OpenVPN based VPN, they are relatively easy to setup, the clients exist for most OSes (take care not all: e.g. iOS: I don't know of one) and it'll give you more than average protection without you having to delve deeply into the details of encryption protocols and the like.
Still there's a learning curve, but there's plenty of tutorials out there that don't assume much prior knowledge either.
For your clients you setup a certificate-based authentication system using EasyRSA (included with OpenVPN). It's a bit of a habit you need to create, but once setup properly, adding and removing users becomes relatively painless.
On your server all you need to do is make sure the http server only binds to the IP address of the tunnel interface.
I've got a web application which can be used for individual peoples (one account for one person) and for places such as schools (one account per computer). I would like to make sure that the schools accounts can only be logged in from the said school.
I've tried an IP filter which isn't appropriate as they have a dynamic IP (it changes every day or each time they reboot their ISP box). The MAC address is not an option since it's not readable by PHP and not conserved between packets hops.
So here is my question, how may I make sure that the schools accounts are used from and only from the school ? Maybe something that I have to install on each trusted computer and which can't be cleaned without paying attention ?
Go with the IP address. Solve the dynamic ip address problem by installing a small script that will ping your server once per 5 minutes and you will get the current school's ip address by this.
The simplest solution would be to use cookies. However, cookies are super easy to read and transfer by the user if he knows how.
A bit more complicated solution would be to make an browser plugin that adds some HTTP header to every request, which would need to be installed on every 'trusted' computer. To falsificate this one it would take a bit more computer skill.
Another solution would be to install secure VPN on trusted computers and make website accessible only through this VPN.
The most sophisticated solution would be to implement some browser-fingerprinting library. That is when website collects all available informations about the browser and machine it runs on (available HTTP headers, available system fonts, how the machine handles decimal point arithmetics etc)
Is there a safe way, to identify a device which might be behind a Router (so the IP is not unique) in PHP?
Background: I have several embedded devices (self programmed & adaptable) which contact a webserver (php+mysql) with status updates. These updates are then - if the source is confirmed - saved to the database.
As I understand it $_SERVER['REMOTE_ADDR'] usually can be trusted (except some IIS configuration where it may - under special circumstances - wrongfully return 127.0.0.1; but different story)
Anyhow since I use SSL, the IP address really should not be a problem, because there a handshake is required and if the IP is faked or simply wrong, the connection should not be established
For now I require IP addresses to be whitelisted by admin, for an status update to be acceppted
The device additionally sends the MAC address via $_POST to identify the different modules with identical IP address (I know this can very easily be forged, and right now will be trusted if the IP address is trusted)
So first of all I am not sure if the IP address in itself is enough for it to be safe from attacks from the outside
Secondly if the device is behind a router, it will have the same IP address as every PC/device on that network. So about anyone there could forge a status update with a fake MAC address (simply as post variable), and since the IP address is whitelisted it will be trusted
So is there any way of confirming the identity of a device, or do you know a better way of doing this?
Aside: Going the other way, and have the webserver poll the different devices might be an option, but since there might be many (> 2000) devices of which we need the very last status (change) I thought it to be inefficient.
IP addresses can be spoofed, MAC addresses can be forged, so theses methods are not sufficient. The general approach is to assign a key to each client device (possibly the same key to all devices, even if this probably a bad idea). The "key" can be anything from a predefined string (weak, think username/password) to a signed certificate (strong, think SSL).
Both can be implemented either at the application level (by PHP) or at server level. If your application runs on Apache httpd server, I would rather recommend using its built-in features as it supports both approaches.
I was wondering if there's a way to control access to a website on a similar way than app licensing works, allowing only given computers on the entire Internet to access them... I can't find a way to uniquely identify a given computer OR to discard all machines except the authorized ones... I don't want a user/password approach as it can be shared.
Your best option here is SSL certificates. Get the client to send you a certificate signing request, sign it with your custom CA, and give them a certificate to use to connect to you with. Ensure that it ties directly to a particular hostname, the hostname of the system. Not entirely fool proof, but better.
IP addresses change. MAC addresses can be spoofed. Computer names are set by the user, and computers can change locations, operating systems, hardware components, and owners.
There's a reason that the username/password combination is so prevalent on the web. And, personally, if it's secure enough for Google, it's secure enough for me.
You can limit the access by IP restriction or mac address restriction. Http server such as apache have access control modules. You can find more information about it from http://httpd.apache.org/docs/2.2/howto/access.html
I know how to track down an IP address, but I need to track down the MAC address of the users viewing my page.
How to accomplish this?
Unless the user is on the same LAN as the webserver, you cannot do this. MAC addresses are on the ethernet layer below TCP/IP, and are not included in TCP/IP packets routed off the users local network.
In some environments, it might be possible use to a client-side plugin to allow Javascript access to the MAC address, and transmit that information to the server.
If this is some kind of LAN based web application, you could try getting the MAC address out of the ARP cache. How you do this will depend on the operating system, but under Linux you could parse the output of arp -n
You can't.
... Well not without the aid of some fully trusted client software (aka a browser plug-in) to help.
The MAC address is not supplied by the browser as part of it's request and is not accessible via client side javascript either.
The only way to gather such information is to supply a browser plug-in that can retrieve such details on your behalf. In the case of most browser / operating system combinations, this will require your users trusting and installing the plug-in.
This effectively means that it's possible to engineer such a solution for an enterprise environment... but extremely unlikely to work for a public facing website.
If you're looking to achieve authentication (for the purposes of either access or auditing) then I would suggest investigating other options such as certificates and the like.
You can't. In general, you can't know the MAC address of your users.
However, for IE on trusted websites, see this.