[Cosmo-dev] CMP and AJAX
travis at osafoundation.org
Thu Sep 21 12:03:55 PDT 2006
No, I definitely agree. There are really two distinct issues here:
Transport security. SSL fixes this problem. Novel approaches like the
one described here:
could also solve it. This is, basically, a solved problem, and we can
use standard solutions.
Credentials security. The crux of our problem is that we need
credentials to persist on the client side. Browsers have solved this
(from a quick peek at the source, it looks like Firefox just stores
passwords (unencrypted) in memory) but they've solved it like an
elephant solves Swan Lake - ugly.
We'd like to make things AJAX-y, which means storing the password so
a) Have the server inject credentials into a page so that the client can
then send them to the CMP server.
- Credentials end up in browser cache (!!!)
- Credentials frequently sent across wire
b) Have the client store credentials in a transient (session) cookie
when the user logs in.
+ As far as I can tell, credentials never written to disk
+ Credentials never sent across wire except when needed to authenticate
- Maybe a little trickier (but not really)
After some thought, I don't like a). b) actually seems close to how
browsers implement credential caching at the moment, which seems like it
is about as good as we can hope for. I could be misunderstanding how
browsers do caching or how transient cookies work, so please correct any
Also, if there is a third option, please let me know.
Matthew Eernisse wrote:
> A small distinction that might be worth noting -- compromising a
> session means an attacker can do Bad Things right then. Compromising
> the password means the attacker can do Bad Things at will and at his
> leisure, without the user immediately knowing security has been
> Also since users tend to re-use passwords the attacker could also end
> up getting access the the unsuspecting user's online bank account, etc.
> I may be going overboard on the paranoia -- but the black eye from
> compromised security lasts a long time. Just trying to consider all
> the angles.
> Brian Moseley wrote:
>>> for the record, this is the approach i favor. i am not worried about
>>> defending against an attacker with a js shell - if he's already at the
>>> keyboard with an in-process cosmo session, he doesn't need to steal
>>> the password, cos he's already in ;)
>> cosmo-dev mailing list
>> cosmo-dev at lists.osafoundation.org
> cosmo-dev mailing list
> cosmo-dev at lists.osafoundation.org
More information about the cosmo-dev