That's basically all Netscape & Microsoft were doing when they had to restrict 128-bit SSL. They threw in the requirement to enter your address & phone number, but they had no way of telling if you were entering your address, or the one you got from doing a four11.com lookup of John Smith in Plano, Tx.
I block anonymizer & some other proxies, as well as AOL. So I guess you're saying there's not much better than what I'm already doing? The only info I have on the client is what I can get from a TCP connection. -Ralph On Wed, 2 Oct 2002, Rick Ernst wrote: > "Good luck"? > > Have you thought about folks using tunneling and proxies? IP-based > authorization is a very weak and inaccurate/insecure method... > > On Wed, 2 Oct 2002, Ralph Doncaster wrote: > > :> > :>I would like to restrict access from certain countries to content on my > :>network (for security and legal reasons). > :> > :>So far the best algorithm I've been able to come up with is a combination > :>of reverse DNS and APNIC/ARIN/RIPE whois queries. I've written a perl > :>cgi that checks reverse DNS first, and if there is no gtld country code > :>for the reverse mapping, does a whois query and parses the response for > :>the address. > :> > :>The problem I have is that the country for the company that owns the IP > :>block is sometimes not the country the IP block is used in. For example > :>sungold22.de.ibm.com 194.196.100.86 > :>Whois parsing indicates a country of UK, but from the reverse DNS a person > :>can see that it is Germany. I've built the pattern of cc.ibm.com into my > :>cgi, but I'm sure there are other blocks that I'm incorrectly identifying. > :> > :>I've looked at RADB entries, as well as origin AS for various IP blocks, > :>and neither source looks any better than whois. > :> > :>Is there a more accurate method to determine the country of origin for an > :>IP than the methods I've described above? > :> > :>-Ralph > :> > :> > >