lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 1 Feb 2010 12:19:30 -0800
From: Chris Travers <chris@...atrontech.com>
To: "Timothy D. Morgan" <tmorgan@...curity.com>
Cc: James Landis <jcl24@...nell.edu>, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com, webappsec@...ts.owasp.org
Subject: Re: [Webappsec] Paper: Weaning the Web off of
	Session Cookies

Hi all;

Just backing up Tim here a bit.

In LedgerSMB 1.3, we decided to go to HTTP auth because of some
changes in the security architecture of the software.  After looking
at alternatives, we concluded that http auth was likely to be the way
to go long-run.  There are some constraints which preclude the use of
Digest authentication (negotiated and basic work OK, but the latter
really requires SSL).

In general the issues came down to:

1)  We do pass-through authentication, and both authentication and
permissions enforcement occurs on the database-level.
2)  To do this effectively, we would have to either store the database
passwords somewhere accessible to the web server (opening up possible
attacks) or we would have to pass it back using some sort of secure,
but reversible encryption scheme.  Since the key would have to be
accessible on the server, this didn't seem as secure to us as just
requiring a usable auth token to be passed to the web server via http
auth.

There are substantial hurdles to overcome to make this work.  However,
moving to an HTTP auth framework means that a number of really
powerful tools are gained.  While it isn't standard yet, I hope the
industry moves in that direction.

I do think we need some sort of HTTP status or other header
information that would tell a browser to clear the auth cache and not
try again.

Best Wishes,
Chris Travers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ