lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100130161931.GG1331@sentinelchicken.org>
Date: Sat, 30 Jan 2010 08:19:31 -0800
From: "Timothy D. Morgan" <tmorgan@...curity.com>
To: "Arian J. Evans" <arian.evans@...chronic.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [Webappsec] Paper: Weaning the Web off of Session Cookies


Hi Arian,

> Good points James. I read this paper a few times to make sure I got
> the point, and it's a cute idea but I just don't see it happening.

Pessimism is understandable; I don't fault you for that.

> For multi-node, multi-app, websites sharing auth/state/preferences
> across multiple web assets (physical servers and logical "websites")
> this is pretty much a non-starter. Cookies rule here. For a dozen
> different reasons that I can think of.

Well, I'm sure you read this, but digest auth can do SSO to, arguably
better.  Whatever wrappers frameworks put around cookies, which are a
very simple primitive, can be wrapped around digest auth too.

> Always good to try and raise the bar, but the world has voted cookies
> (thanks Lou!) and I think they are here to stay for at least the next
> decade.

Definitely, they aren't going away, but we should start phasing them
out of authentication.  What the replacement is may be up in the air,
but the bottom line is: Cookies were a terrible idea for
authentication when they were first introduced and they are still a
bad idea.  We've been hit over the head with this for years.

> Oh, yeah, and marketing rules the world, and web sales and marketing
> (and Google) LOVE cookies. So that is what it is and I really don't
> see that changing until they can inject a tracking device into your
> body.

As the paper points out, these business drivers act against making
cookie primitives more usable for session management.

Thanks for taking the time to read it,
tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ