Em 30-06-2011 08:49, Marius Mårnes Mathiesen escreveu:
On Thu, Jun 30, 2011 at 1:10 PM, Rodrigo Rosenfeld Rosas
<[email protected] <mailto:[email protected]>> wrote:
I'm still a bit worried about security implications by using
OpenID as I was testing it and figured out it worked on localhost
in my development environment. This means that OpenID is able to
work using HTTP redirects without talking directly to each other.
The security implications is that it is probably trivial to issue
a replay attack if you're behind a proxy, for instance. I didn't
investigate this enough for knowing how hard would that be, but I
used to think that necessarily both relying partner and the OpenID
provider would talk directly to each other...
IIRC, in OpenID the consumer server (the Gitorious server) connects to
the OpenID provider and they agree on a shared secret (or equivalent)
before the user is redirected to the provider site for authentication.
Once authentication has been performed, the user is redirected back to
the consumer server with enough data in the URL to verify that
authentication indeed succeeded (the consumer server will connect back
to the server to verify this). One thing the provider will not do is
to connect to the consumer while the visitor enters for
authentication. The spec
[http://openid.net/specs/openid-authentication-2_0.html] describes the
gory details about how this works.
Yes, I was reading that specification yesterday, but there are multiple
ways OpenID can authenticate. Here is my concern, regarding the use of
HTTP redirects for authenticating the user:
The user is redirected to Google after Gitorious connected to it
previously. Then, Google will send a HTTP redirect back to Gitorious. If
the user is behind a proxy like Squid, and you have access to the logs,
you'll see what is the URL that allows the user to be authenticated. My
concern is that knowing the URL you can try to access it yourself short
after the user so that you can be authenticated as him in Gitorious, by
issuing a replay attack. I didn't try this, but that is my current
concern about OpenID. Is there any reason this replay attack wouldn't
succeed?
I don't know about Crowd, but I think we should try to understand
the security implications of each authentication method Gitorious
is planning to support... Even if Gitorious decides to adopt some
of them, they should recommend to users some authentication
systems that it considers more secure or something like that...
I would assume most sites running Gitorious on their own will use the
default, database-backed authentication, and we should make sure this
is a safe choice. I'd also say it's reasonable to assume that
people/organizations who need something else do so because the *have*
something else - LDAP/AD keep coming up.
Yes, I agree LDAP/AD is a common feature request (a professor has asked
me about this too some time ago). And I find it to be very secure
indeed. Probably even more than the database-backend authentication.
I would think that most of such existing systems (we're probably
talking "enterprise" solutions here) have a reasonable level of security?
I wish I was as much sure as you are... :)
That being said, I agree that we should be very careful to add support
for *any* kind of authentication scheme; OAuth authentication towards
Twitter/Facebook come to mind. The same goes for HTTP Basic Auth over
HTTP.
I'm not a security specialist so don't know exactly how these work and
what kind of security flaws could be present in those authentication
systems.
Cheers, Rodrigo.
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
