lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 30 Jan 2010 09:31:49 -0800
From: "Arian J. Evans" <arian.evans@...chronic.com>
To: "Timothy D. Morgan" <tmorgan@...curity.com>, bugtraq@...urityfocus.com, 
	Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	websecurity@...appsec.org
Subject: Re: [Webappsec] Paper: Weaning the Web off of
	Session Cookies

Regarding SSO - not at all. Not even remotely. It's not about
"wrappers frameworks put around cookies".

Spend some time on *.yahoo* and *.google* and their partner sites, and
look at how they use both auth and personalization cookies (two
different things).

For the former there is no way to solve usefully with Digest without
implementing some persistent unified tracking mechanism of the likes
Digest Auth does not provide today, or implementing some massive OoB
auth-sharing mechanism like SAML, or combining with something like
SXIP or OpenID. None of these latter give us the changeable
persistence bits we want and need though, when passing auth around
multi-domain/host properties.

Sure, it would work fine for isolated financial apps with no
off-domain links. But that's not the direction the web is moving in.

Auth != Security

Auth != Confidentiality

Auth = Identity

That's the future, like it or not. Cookies are not only "good enough",
but they have distinct advantages over Digest when it comes to
verifying and tracking Identity.

But this stuff makes for good thought so keep the ideas rolling,

---
Arian Evans
capitalist marksman. eats animals and cookies.



On Sat, Jan 30, 2010 at 8:19 AM, Timothy D. Morgan
<tmorgan@...curity.com> wrote:
>
> Hi Arian,
>
>> Good points James. I read this paper a few times to make sure I got
>> the point, and it's a cute idea but I just don't see it happening.
>
> Pessimism is understandable; I don't fault you for that.
>
>> For multi-node, multi-app, websites sharing auth/state/preferences
>> across multiple web assets (physical servers and logical "websites")
>> this is pretty much a non-starter. Cookies rule here. For a dozen
>> different reasons that I can think of.
>
> Well, I'm sure you read this, but digest auth can do SSO to, arguably
> better.  Whatever wrappers frameworks put around cookies, which are a
> very simple primitive, can be wrapped around digest auth too.
>
>> Always good to try and raise the bar, but the world has voted cookies
>> (thanks Lou!) and I think they are here to stay for at least the next
>> decade.
>
> Definitely, they aren't going away, but we should start phasing them
> out of authentication.  What the replacement is may be up in the air,
> but the bottom line is: Cookies were a terrible idea for
> authentication when they were first introduced and they are still a
> bad idea.  We've been hit over the head with this for years.
>
>> Oh, yeah, and marketing rules the world, and web sales and marketing
>> (and Google) LOVE cookies. So that is what it is and I really don't
>> see that changing until they can inject a tracking device into your
>> body.
>
> As the paper points out, these business drivers act against making
> cookie primitives more usable for session management.
>
> Thanks for taking the time to read it,
> tim
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ