Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Cookies at XML Europe 2004 -- Call forParticipation
 At 8:34 PM -0500 1/7/04, Rich Salz wrote: >The cookie that references the server state must be treated almost as >securely as a cookie containing password information, or an HTTP >basic-auth application. In practice, this often means SSL for data >privacy while in transit. Other mechanisms -- the credentials could >record the client's IP address, for example -- are also possible. My god. It is as bad as I feared. I find this hard to believe, but it really convinces me that I was right in the first place, cookies are a very bad idea and should be avoided at all costs including for session authentication, though perhaps for different reasons than I initially thought. Cookies are demonstrably less secure than HTTP digest authentication. We've got a log and a speck situation here. The problems you've brought up with digest authentication in HTTP are the speck, but the security problems with cookies are a log. Yes, if someone sniffs a digest authenticated session and runs a dictionary attack on a weak, infrequently changed password, they might be able to pull out the password quickly enough to make use of it. This problem can be alleviated by individual users choosing strong passwords. Not an ideal situation certainly, but let's compare that to the cookie problems: Someone snarfs a single unencrypted session and they immediately have access to that server, and can use it immediately for as long as the cookie lasts. No difficult decryption required! If the server's unusually paranoid they may have to spoof the IP address too, but that's trivial and fast. This attack is so much worse, so much faster, and so much easier to implement, I find it amazing no one's exploited this hole yet. Or at least if they have it hasn't been widely publicized. Security is only as strong as the weakest link in the chain, and this makes it brutally apparent that cookies are a much weaker link. Both cookies and digest authentication have security issues, but the problems with digest authentication pale in comparison to those with cookies. Of course, problems with both digest authentication and cookies can largely be alleviated by using 128-bit SSL encryption. In that environment, there's a theoretical attack on the digest authentication following a successful decryption of the SSL key. If you can pull that off, more power to you. Bottom line: SSL on: everything is safe. SSL off: HTTP digest authentication, while not perfect given likely weak passwords, is more secure than cookie based authentication. -- Elliotte Rusty Harold elharo@m... Effective XML (Addison-Wesley, 2003) http://www.cafeconleche.org/books/effectivexml http://www.amazon.com/exec/obidos/ISBN%3D0321150406/ref%3Dnosim/cafeaulaitA 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
