Very nicely explained, Nikolaos!
Freddy
On Mon, 31 Jan 2011 17:00 -0500, "Adam Stokar"
<ajsto...@gmail.com> wrote:
Appreciate your help Nikolaos, this is exactly what I was
looking for. Thanks!
- Adam
On Mon, Jan 31, 2011 at 1:52 PM, Nikolaos Giannopoulos
<[1]nikol...@brightminds.org> wrote:
Adam,
Of course, the simple solution to the problem is to use HTTPS all
the way and yes there are SSL terminating LB's which "cheapen"
the expense of SSL but unfortunately there is still an overhead
and your site will have reduced scalability. As long as that
reduced scalability is within your limits... you are set and have
the ideal solution. Having SSL terminate at the App servers vs.
the LB's is going to incur a bigger performance penalty.
However, in our case much of our traffic doesn't even require
login... and the only clear time when there is sensitive
information to protect is when creating a membership or updating
ones membership credit card information. So SSL 100% of the time
for us is far from ideal.
Here is what we do:
1) We don't use HTTPS for login ;-)
On the server we generate a "quasi" secure nonce every time we
start a sign in transaction (i.e. every time we present the
form)... which encodes part of the JSESSIONID + timestamp +
remote IP address in the nonce. Why do I say "quasi" secure
because if you sit behind the same router (e.g. over WIFI) your
remote IP address obtained in Java is going to be the same as
your neighbours... so in a way this does little in this case but
is simple enough to have and guard against other cases).
On the client side we have a JavaScript function that does the
following on login form submit:
password = "SHA1:" + Sha1.hash(password);
password = "SHA1:" + Sha1.hash(password + ':' +
nonce);
On the login action bean we have a validateUser event that is set
to ValidationState.ALWAYS that does the following "key" things:
- Obtains the server generated nonce node (object) from the
session using the nonce as lookup "key"
- Ensures that the nonce node is in a STARTED state (vs. an
UNINITIALIZED or other state)
- Verifies the users remote IP against that encoded in the
nonce (doesn't help in WIFI cases but does in other
man-in-the-middle attacks)
- Looks up the user object using username and obtain DB user
password which is stored as "SHA1:<userPassword>"
- Compare sha1Encrypt(user.getPassword() + nonce) against
"password" passed into the form post
- If all is successful reset the nonce node to UNINITIALIZED
(thus making the entire TX one-time!!!!!!!!!!)
So what this does is the following:
a) From client through server to DB we are "never" dealing
with a clear text password i.e. its always hashed
b) As the client hashes the nonce with the users password the
passed in "password" is only useful for the life of the TX...
otherwise it is useless... and moreover on successful login the
nonce is no longer re-usable... this is KEY
So even if could steal the password over WIFI, set your IP to
match the users, you still have about 10 seconds or so (however
long it takes to hit your server, create a login bean instance
(with life cycle) and process its validation method) and
thereafter the credentials are useless... much like how a FOB
providing say a 6 digits number that changes every X seconds is
appended to a password for login say at eTrade.
Is this infallible? No... but it sure helps improve
performance... if we are OK to have MOST of our traffic run over
HTTP.
As far as membership or payment is concerned we switch to HTTPS
and force the user to sign in again. Likewise once they come
back to the main HTTP part of the site. In fact, many sites will
force you to log in again just to be sure it is you every once in
a while or at key points (IIRC Yahoo Mail, SafariOnline and
Amazon do this) so as in our case this is a very small part of
our traffic the added log in inconvenience isn't a big deal...
and could be ironically perceived as being overly cautious.
As someone who has spent many years working as a Senior Identity
Management / Solutions Architect I can tell you that the above
solution is not for everyone and there are other solutions
available such as using a Policy Agent / Proxy based identity
management solution (Oracle, IBM, CA, etc... all pretty much have
solutions in place that utilize a centralized hub like Identity
architecture where policy agents bind into your J2EE Application
Server and can enforce Authentication and Authorization (URI
based and even Role based with standard Web.xml security
bindings).
But alas for most Internet sites today were a lot of traffic is
non-sensitive - as you point out - a 100% HTTPS OR a full blown
Identity platform - may indeed be overkill. Like anything else,
Security is always a trade-off of things, and a ring like layered
approach works best IMHO... you just have to decide how many
rings you are going to have and how thick those rings need to
be. When / where to use HTTPS is just one piece of the puzzle.
HTH ;-)
--Nikolaos
Adam Stokar wrote:
We've noticed a difference in performance on our servers using
http vs https so figured if we could use some code to handle this
issue vs upgrading our servers. I don't really agree that if you
secure the site with a login that everything should be secure.
Digg, for example, doesn't need to encrypt its news feed after
you login because the information is not sensitive. Many sites
I've seen have non-secure content after logging in. Was hoping
there was an easy way to do it in Stripes but I guess not.
On Mon, Jan 31, 2011 at 10:19 AM, Stone, Timothy
<[2]tst...@barclaycardus.com> wrote:
Couldn't this "use case" also be addressed with OAuth? Where
the Auth is
performed over OAuth, but the site remains over HTTP
(non-secure).
I do agree 100% with Janne though, HTTPS is cheap. If the
username/password, and the services provided by the webapp
should be
secure, make it secure 100% of the time, e.g., redirect to
HTTPS
immediately on hitting the site.
Regards,
Tim
-----Original Message-----
From: Janne Jalkanen [mailto:[3]janne.jalka...@ecyrd.com]
Sent: Monday, January 31, 2011 9:48 AM
To: Stripes Users List
Subject: Re: [Stripes-users] HTTPS to HTTP switching
> 1) Logging in. The login action should be https so username
and
> password are encrypted, but once i pass the login, the first
page the
> user sees does not need to be secure, hence switching from
https to
> http
And that's exactly when your site stops being secure, and the
user
session can be hijacked, and your site is compromised. Facebook
does
login over https, yet the sessions can be hijacked. That's why
they're
rolling out the change...
Please *do* seriously consider using https all the way after the
user
has logged in. You have very few real reasons why you shouldn't -
https
is very cheap these days with SSL-terminating loadbalancers and
plenty-of-CPU power for decryption anyway. You're otherwise
creating a
fairly easy-to-exploit security hole in your system... (unless,
of
course, you can ensure that nobody ever uses your system over
WiFi.)
/Janne
-----------------------------------------------------------------
-------
------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD
value)!
Finally, a world-class log management solution at an even better
price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February
28th, so secure your free ArcSight Logger TODAY!
[4]http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
[5]Stripes-users@lists.sourceforge.net
[6]https://lists.sourceforge.net/lists/listinfo/stripes-users
Barclays [7]www.barclaycardus.com
This e-mail and any files transmitted with it may contain
confidential and/or proprietary information. It is intended
solely for the use of the individual or entity who is the
intended recipient. Unauthorized use of this information is
prohibited. If you have received this in error, please contact
the sender by replying to this message and delete this
material from any system it may be on.
-----------------------------------------------------------------
-------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD
value)!
Finally, a world-class log management solution at an even better
price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
[8]http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
[9]Stripes-users@lists.sourceforge.net
[10]https://lists.sourceforge.net/lists/listinfo/stripes-users
__________________________________________________________________
--------------------------------------------------------------------------
----
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-fre
e!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
[11]http://p.sf.net/sfu/arcsight-sfd2d
__________________________________________________________________
_______________________________________________
Stripes-users mailing list
[12]Stripes-users@lists.sourceforge.net
[13]https://lists.sourceforge.net/lists/listinfo/stripes-users
--
Nikolaos Giannopoulos
Director of Information Technology
BrightMinds Software Inc.
e. [14]nikol...@brightminds.org
w. [15]www.brightminds.org
t. 1.613.822.1700
c. 1.613.797.0036
f. 1.613.822.1915
--------------------------------------------------------------
----------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD
value)!
Finally, a world-class log management solution at an even
better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
[16]http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
[17]Stripes-users@lists.sourceforge.net
[18]https://lists.sourceforge.net/lists/listinfo/stripes-users
--------------------------------------------------------------------------
----
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-fre
e!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
References
1. mailto:nikol...@brightminds.org
2. mailto:tst...@barclaycardus.com
3. mailto:janne.jalka...@ecyrd.com
4. http://p.sf.net/sfu/arcsight-sfd2d
5. mailto:Stripes-users@lists.sourceforge.net
6. https://lists.sourceforge.net/lists/listinfo/stripes-users
7. http://www.barclaycardus.com/
8. http://p.sf.net/sfu/arcsight-sfd2d
9. mailto:Stripes-users@lists.sourceforge.net
10. https://lists.sourceforge.net/lists/listinfo/stripes-users
11. http://p.sf.net/sfu/arcsight-sfd2d
12. mailto:Stripes-users@lists.sourceforge.net
13. https://lists.sourceforge.net/lists/listinfo/stripes-users
14. mailto:nikol...@brightminds.org
15. http://www.brightminds.org/
16. http://p.sf.net/sfu/arcsight-sfd2d
17. mailto:Stripes-users@lists.sourceforge.net
18. https://lists.sourceforge.net/lists/listinfo/stripes-users
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
