Hey Maurice, 2010/2/8 Maurice Gittens <[email protected]>: > Thanks mobi for bringing up the topic. > > I too would be interested in seeing a document that explains why > the attack vector you sketch would fail by measures explicitely > taken to counter act them. > > >> >> > Nevertheless, we take security seriously, >> I am convinced. However I am sure that challenging it time to time >> gives more confidence >> both to the community and you. >> >> > convinced that there is a security problem and think of a way of >> > triggering it, you can easily convince us by demonstrating it ? > > > I think this should be the other way around. > > Security should not be by obscurity. So the burden is on Emweb to > show by what security measures and general design measures Wt is secure.
Certainly it should not be by obscurity. There is already some information at http://redmine.webtoolkit.eu/wiki/wt/Frequently_Asked_Questions#Q-Building-web-applications-in-a-low-level-language-like-C-Have-you-never-heard-of-buffer-overruns I welcome any feed-back and requests for clarifications. > So what are the invariants that ensure that Wt sessions cannot be hijacked? Among users, the session ID is a secret which is assumed to not be compromised. Within a session, the library keeps track of which signals are exposed and consequently which slots may be triggered at any given point in time. > If you share this information the community could then evaluate the Wt > security model without having > to keep up with the daily evolution of the code. I agree. Note that w.r.t. to this security model, nothing has changed over the last 2 (even 3?) years. Regards, koen ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
