lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100205160609.GK21923@sentinelchicken.org>
Date: Fri, 5 Feb 2010 08:06:09 -0800
From: "Timothy D. Morgan" <tmorgan@...curity.com>
To: "Arian J. Evans" <arian.evans@...chronic.com>
Cc: bugtraq@...urityfocus.com,
	Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	websecurity@...appsec.org
Subject: Re: [Webappsec] Paper: Weaning the Web off of Session Cookies


Arian,

Sorry for the slow reply.  I'm overseas right now and it's tough to
keep up with email.

I think this thread might be about dead, but I will respond to a few
comments:


> All good ideas, but I believe stillborn at this point. You would get
> far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
> separate data and control channel for the browser, and then look at
> something like this for dynamic auth tokens, combined with data
> structure nonces as well. Kill two birds with one stone. Folks that
> want strong dynamic auth are probably largely the same folks who want
> strong data structures enforced.

Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew.  I'd love to redesign digest
authentication, for instance, or push for good browser support of some
truly safe HTTP authentication protocols, but that would be much more
likely to fail.  I see this as a relatively easy fix to open up a new
option in web app development.


> As more and more app development moves to hardware platforms
> (iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
> Google *.google.com apps, webmail, etc.) cookies are an easy and
> transparent way to fly, that work now, all the time, and have clear
> business drivers behind them for auth tracking (and working now, all
> the time).
>
> Many modern web 2.0 products use cookies for auth = tracking, not auth
> = confidentiality.

I never said cookies should go away.  I merely want cookies to stop
being used for managing authenticated sessions in most applications.
Some applications may still require that flexibility, however, and for
those they can be more carefully audited.

> The majority of internet users use modern apps where auth = "identity
> tracking and sharing", and statistics support this.
> 
> These same users will readily glue their private, regulated,  banking
> apps together with Farmville in some mad web 2.0 gadget-ridden mashup,
> that is cross-domain shared and scripted by default. Which is one area
> cookies rule.

Well, sure, they do currently rule.  There's no reason HTTP
authentication can't be used to authenticate a cross-origin unified
identity.

> I'm going to drop out of this thread as we are at a point where we
> disagree on premise, and possibly ideology.

I'm fine to agree on disagreeing as well.

Cheers,
tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ