[Cosmo-dev] CMP and AJAX

Travis Vachon travis at osafoundation.org
Thu Sep 21 12:03:55 PDT 2006 

No, I definitely agree. There are really two distinct issues here:

1)

Transport security. SSL fixes this problem. Novel approaches like the
one described here:

http://www.xml.com/pub/a/2003/12/17/dive.html

could also solve it. This is, basically, a solved problem, and we can
use standard solutions.

2 )

Credentials security. The crux of our problem is that we need
credentials to persist on the client side. Browsers have solved this
(from a quick peek at the source, it looks like Firefox just stores
passwords (unencrypted) in memory) but they've solved it like an
elephant solves Swan Lake - ugly.

We'd like to make things AJAX-y, which means storing the password so
that JavaScript can get access to it. Two solutions immediately come to
mind:

a) Have the server inject credentials into a page so that the client can
then send them to the CMP server.
+ Easy
 -  Credentials end up in browser cache (!!!)
 -  Credentials frequently sent across wire

b) Have the client store credentials in a transient (session) cookie
when the user logs in.
+ As far as I can tell, credentials never written to disk
+ Credentials never sent across wire except when needed to authenticate
to CMP
 - Maybe a little trickier (but not really)

After some thought, I don't like a). b) actually seems close to how
browsers implement credential caching at the moment, which seems like it
is about as good as we can hope for. I could be misunderstanding how
browsers do caching or how transient cookies work, so please correct any
mistakes!

Also, if there is a third option, please let me know.

Thanks!

Travis



Matthew Eernisse wrote:
> A small distinction that might be worth noting -- compromising a
> session means an attacker can do Bad Things right then. Compromising
> the password means the attacker can do Bad Things at will and at his
> leisure, without the user immediately knowing security has been
> compromised.
>
> Also since users tend to re-use passwords the attacker could also end
> up getting access the the unsuspecting user's online bank account, etc.
>
> I may be going overboard on the paranoia -- but the black eye from
> compromised security lasts a long time. Just trying to consider all
> the angles.
>
>
> M.
>
> Brian Moseley wrote:
>>>
>>> for the record, this is the approach i favor. i am not worried about
>>> defending against an attacker with a js shell - if he's already at the
>>> keyboard with an in-process cosmo session, he doesn't need to steal
>>> the password, cos he's already in ;)
>>>
>> _______________________________________________
>> cosmo-dev mailing list
>> cosmo-dev at lists.osafoundation.org
>> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev
>>
>
> _______________________________________________
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
> http://lists.osafoundation.org/mailman/listinfo/cosmo-dev

More information about the cosmo-dev mailing list