[Plone-users] Re: [Zope-CMF] CookieCrumbler security issue?

Seb Potter seb at getfrank.com
Fri Jan 23 05:24:42 EST 2004 

On Fri, 23 Jan 2004 09:33:57 +0000, Chris Withers <chris at simplistix.co.uk> 
wrote:

> Seb Potter wrote:
>
>> This is a universal problem of using cookies as a method of providing 
>> persistent authentication.
>
> Indeed, although HTTP Basic Authentication is even worse!

Or, more accurately, exactly the same.

>> Cookies are a non-ideal solution that really should only be used in 
>> conjunction with an SSL-secured connection if you're worried about 
>> transmission security.
>
> Yup, but see my question to Lennart, I'm particularly concerned about 
> when you have an HTTPS and an HTTP site at the same domain...

Don't. Really, seriously. Use HTTPS for all login/authentication, and do 
it on a different domain. Make it *impossible* to log in from the HTTP 
domain.

>> The point being: if you're using cookies for authentication and you're 
>> transmitting in cleartext, then your connection is open to a 
>> packet-sniffing attack, regardless of how you obfuscate your 
>> authentication token.
>
> True... I guess that is also true for HTTP Basic auth?

Yep.

>> Of course, using cookies will always expose you to the worst security 
>> nightmare: compromise of the remote terminal. (Fortunately, without 
>> being able to control the end-user, there's not a great deal you can do 
>> about this in a web environment.)
>
> Well, again, how does this differ with HTTP Basic Auth?

Not a lot really. The two are equivalent in most functional senses.

>> Whilst I agree that this is a fair compromise in most cases, it 
>> certainly is not the right route if you're paranoid about security.
>
> What would be?


Don't allow any authentication over HTTP whatsoever. Do it all over HTTPS 
with 128-bit server certs, and require client certificate in order to 
connect. Enforce secure authentication tokens (20 character random 
passwords on 30 day rotation).

Of course, you then have the whole palaver of issuing certificates to 
clients and ensuring that they are installed on the client computer, etc., 
but in reality this is the best method to secure communications over an 
internet connection without being able to control client hardware.

- seb

-- 
Seb Potter
Senior Developer
Getfrank Ltd.

More information about the Zope-CMF mailing list