Using the Referer header in Authentication

My blog got hacked again yesterday.  Luckily my automation caught it within the hour and I cleaned it up a few hours after that.   It remains a mystery how they got in.  (Update: I’m an idiot and there was an extra testing account that was poorly provisioned.)   I can see signs of a short brute force attack attempting to login in the right time frame.  But I doubt that worked.  I have exceptionally obscure passwords, and I use two factor authentication

But this got me thinking about assorted other ways I could make login a bit more secure.  I could limit which IP address are allowed in.  I could require that the client present a cookie.  There are lots of other standard hacks (and they are hacks) for tightening this up.  Rate limiting is always fun.

But I had a fun idea that I want to share.  What required that the login attempt include a Referer header.   It would be a huge inconvenience to route all my login attempts thru one of my private personal pages.

I know, it’s just security by obscurity, but even sightly unusual authentication requirements will frustrate the script kiddies.

We can make it better than that.  What if we embed a one time key into the header?  For example using TOTP, i.e. what Google Authenticator uses for two factor authentication.  That wouldn’t be very hard to implement.  And, if your feeling your oats you could delegate all the authentication to the site you’re routing your access thru.

You could make a browser plugin that injects this authenticating header when ever you visit certain urls.  And, of course, there isn’t any particular reason to use the Referer header at that point.  Obviously a plug-in of that kind could support a helpful scheme for provision the TOTP setup.

Leave a Reply

Your email address will not be published. Required fields are marked *