Christopher Lemmer Webber wrote on 09/03/2018 06:18 AM:
https://docs.racket-lang.org/web-server/faq.html#%28part._.What_special_considerations_are_there_for_security_with_the_.Web_.Server_%29
(I agree with the FAQ btw that a cookie-based approach has major downsides
fwiw.)
For a credible authentication session that works with current browsers,
today,[1] I think you'll probably end up making cookies a part of it.
HTTP Basic authentication has limited uses, which might include things
like student homework assignments, but not general Web purposes.
If you try to do it from JS (such as by trusting HTML5 storage security
more than that of cookies, or going much more anti-Web AJAX-y for
content loading), or making all your requests `POST` (with some unusual
framework), I think you'll have problems in practice. And anything that
appears in the URL will tend to get leaked numerous ways by many
browser configurations (regardless of HTTPS, or which Hierarchical URI
component you put it in).
For some much narrower purposes, HTTPS client certs have a place (and I
kinda like them), but they are an administrative headache, there's a
prohibitive usability burden for bringing on new users in for the
general case of Web sites/services, usability burdens tend to create
security weaknesses, browser support is strangely starting to disappear,
and the browsers and "stacks" are full of holes anyway (such that there
are weaker points to harden before cookies).
The new work on Web browser support for hardware keys conceivably might
include something generally useful, at some point, but adult supervision
is needed, when it's being pushed by parties in the business of doing
ubiquitous mass surveillance and/or selling hardware keys.
[1] And I don't think cookies will be going away anytime soon. Almost
everyone is using them for surveillance (mostly gratuitous wrt purported
service) and essential authentication session tokens. Mozilla is just
now starting to be a little principled against certain kind of cookie
abuses for surveillance, but their funding is based on being
dotcom-friendly, and I suspect that they won't actually break the
current surveillance-funded industry anytime soon (nor be willing to
have their browser stop working with the most popular sites, without
compromise, if it comes to a standoff). Although, one of their former
top VIPs, now at Brave, seems to be working on breaking various
surveillance methods, while setting up a new middleperson for
monetization. If Brave gets uptake from privacy-conscious people, I
suppose that might light a fire under Mozilla, to reorient more
thoroughly to privacy-respecting, throughout everything they do (since
they have a fleet of executives who have seen them lose large chunks of
market share before, on earlier differentiators). Probably, some
standards will be broken, and perhaps standards eventually changed to
permit that breakage (they could call it a standards "profile", if that
helps diplomacy), and the dawn of a new skepticism of dotcom intentions
and the technology decisions they push. Regardless, I think cookies
will still work for at least first-party session authentication for a
while. :)
--
You received this message because you are subscribed to the Google Groups "Racket
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
