[Nottingham] Will HTTPS be safe against a spoofed IP address?

Graeme Fowler graeme at graemef.net
Fri Oct 29 08:27:02 BST 2004

On Thu, 28 Oct 2004, Michael Erskine wrote:
> I've been setting up secure webservers at each of my company's sites and I'm 
> eager to ensure that we only allow access to certain parties. This we can 
> easily do at the IP address level at the various firewalls or within the 
> webserver configurations. Do encrypted HTTPS sessions somehow protect against 
> the various forms of IP spoofing?

What do you mean by IP spoofing in this context, Michael?

It's very easy to build your own packets with an arbitrary source IP and fire 
them at a target machine; it's another thing entirely to actually get those 
packets back to your machine - that would require subversion or control in 
some way of a number of routing devices in order to either NAT, reroute or 
simply forward them to your real IP.

If, say, one of your clients is using an address of on their 
BT-provided DSL service, you setup both iptables or netfilter rules on your 
server to only permit connections from that address *and* use Apache's ACL 
styles to further block connections and/or ask for authentication (or client 
certs as previously mentioned) from that address, then you've got a pretty 
tight filter.

If someone on a network in Russia (with base block of, say, spoofs as a source, then the return path from your server will go to the 
DSL service. They might then complain that their service is saturated (very 
common in spoofed DoS attacks where a single source is spoofed by many hosts), 
but your server in and of itself remains secure. Slow, but secure :)

For that spoofing to get back to a rogue client, they need to control your 
upstream network infrastructure. Doubtful - possible, but doubtful.

There are, of course, probably ways in which most of the above is easily 
subverted - badly configured providers accepting (and announcing) arbitrary 
network prefixes or ASes to the world, for example. It's very rare, however, 
and I'm yet to experience that one personally :)


More information about the Nottingham mailing list