DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default Systems Integration: A security focus for web applications

Bruce Schneier recently pointed out this blog post by Troy Hunt. Mr. Hunt wrote about a B2C site operated by Tesco PLC. At the time of its publication , Tesco's site had received little or no attention by their technical security auditors. Bruce found Mr. Hunt's blog post valuable, "...not because it picks on Tesco but because it's filled with good advice on how not to do it wrong."

I agree. Hunt discussed problems that are very common and occur with many, many sites. The bulk of the problems he atrributes to unconscious incompetence -- and that can occur anywhere. We can even outsource the problem to incompetent service providers. These problems are caused by a lack of attention (and/or resources) combined with a lack of knowledge regarding the risk.

One technical example Hunt highlighted is the limitation imposed on "sessions" maintained via HTTP. Cookies must be used, because HTTP is stateless. All of us use sites where session continuity is managed by trading cookies in plain text -- and these sessions are all subject to MITM attack. In fact, I'm transferring a cookie in plain text right now to post this here at www.daemonforums.org -- I can't post without it.

Another issue Hunt highlights is to pay close attention to the security of the complete chain of software used to deploy modern web applications. The chain can be both long and complex, and contain disparate program products and their libraries.

---

Interesting read, though I disagree with him regarding passwords vs. passphrases -- as he takes issue with my favorite XKCD comic. Mathematically, bits of entropy are key to placing brute force attack successes into sufficiently long polynomial time. To do that we need to ensure our randomly chosen passphrase words are sufficiently random to provide that entropy.

Last edited by jggimi; 16th August 2012 at 03:25 PM. Reason: typo
Reply With Quote
  #2   (View Single Post)  
Old 16th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Hi jggimi !
Even with the 'never accept cookies' setting , we are using some willy-nilly ? and those certificates : are they really trustworthy ? & certificate authorities , intermediates .. Can't we really do without such mediation ??
Reply With Quote
  #3   (View Single Post)  
Old 17th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You had two questions.

#1
Quote:
Even with the 'never accept cookies' setting , we are using some willy-nilly ?
If cookies are not stored on disk, you establish your identity to start your session each time. But you still have temporary cookies -- in particular, a session ID, that allows the web application to know that it is YOU it is talking to. Here, for example, is an excerpt from tcpdump(8) from this current session as I clicked the "Preview Post" button on the vbb editor just now. You can see there is a lot of personal information sent in the clear.
Code:
POST /newreply.php?do=postreply&t=7374 HTTP/1.1
Host: www.daemonforums.org
User-Agent: Mozilla/5.0 (X11; OpenBSD i386; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.daemonforums.org/newreply.php?do=postreply&t=7374
Cookie: bblastvisit=<ten digits>; bblastactivity=0; bbuserid=<xx>; 
bbpassword=<some hex>; bbsessionhash=<some more hex>
Content-Type: application/x-www-form-urlencoded
Content-Length: 856
#2
Quote:
those certificates : are they really trustworthy
Yes.. and No. The purpose of a certificate is to validate that the website is that of the certificate holder and no one else. Certificate Authorities exist to provide a Chain of Trust -- and as we have seen, some CAs have abused or broken their trust.
Less commonly, certificates are installed in browsers to validate the user's identity in similar fashion.
Browser makers keep lists of CAs who they trust. And as we have seen they revoke certifications when trust fails. However, certificates are currently the most common way to establish identification of a public facing web server.

We won't solve this problem here, and of course it is outside the scope of discussion I'd started.

Last edited by jggimi; 17th August 2012 at 02:21 AM. Reason: added user certs
Reply With Quote
  #4   (View Single Post)  
Old 17th August 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Thank you jggimi !!
I've always benefited from your posts ..
Reply With Quote
  #5   (View Single Post)  
Old 22nd August 2012
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

The most common encryption used is the 8-bit ASCII cipher.

Actually, KPN, the largest Dutch Telecom, once claimed their passwords are encrypted using UTF-8 They also owned DigiNotar.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Today's presentation will be on BSD systems. Ninguem Off-Topic 3 6th December 2011 07:46 PM
Chromium loses focus in text boxes kly FreeBSD Ports and Packages 4 19th October 2011 02:53 PM
Industrial Control Systems: security holes galore J65nko News 1 25th March 2011 08:42 PM
Best web browser for *BSD systems JMJ_coder Other BSD and UNIX/UNIX-like 92 2nd January 2009 09:27 PM
OpenBSD GUI Applications qmemo OpenBSD Packages and Ports 17 6th August 2008 11:07 AM


All times are GMT. The time now is 11:54 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick