Why using mac address is horrible for web application security

There are plenty of reasons, but I have decided to just focus on the top items.

  1. Mac Addresses are not unique. That is, they may be unique within a manufacturer’s production environment, but devices that have them can also have them overwritten.
  2. Browsers don’t submit mac addresses in their headers. Sorry, but this is just a fact.
  3. Only under certain network security layouts can you even come close to getting this to work. IE: IIS server is on the exact same domain as the IE browser.
    1. Even then, you have to go outside of the sandbox to get the mac address.
  4. Just because you have a mac address, doesn’t mean you know who the person is that is using that box.

If you think about this, this same list works for not using IP addresses for security.

However, if you are trying to create a generic, no authentication, public page, for your users, I would consider a 3 step security.

  1. Have your network security, which uses mac addresses, to limit that box to a subset of your network.
  2. Assign a static IP to client box, then have your unsecured webserver, or the limited exposure network card limit its connections to that IP address.
  3. Register a certificate to that box’s browsers, and require the certificate to be present before serving the web page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.