Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [Webappsec] Paper: Weaning the Web off of Session Cookies
From: "Timothy D. Morgan" <tmorgan () vsecurity com>
Date: Fri, 5 Feb 2010 08:06:09 -0800


Arian,

Sorry for the slow reply.  I'm overseas right now and it's tough to
keep up with email.

I think this thread might be about dead, but I will respond to a few
comments:


All good ideas, but I believe stillborn at this point. You would get
far more mileage IMO out of promoting "HTTP 2.0" and issuing in a
separate data and control channel for the browser, and then look at
something like this for dynamic auth tokens, combined with data
structure nonces as well. Kill two birds with one stone. Folks that
want strong dynamic auth are probably largely the same folks who want
strong data structures enforced.

Far too often security initiatives fail to gain any momentum because
they bite of far more than they can chew.  I'd love to redesign digest
authentication, for instance, or push for good browser support of some
truly safe HTTP authentication protocols, but that would be much more
likely to fail.  I see this as a relatively easy fix to open up a new
option in web app development.


As more and more app development moves to hardware platforms
(iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
Google *.google.com apps, webmail, etc.) cookies are an easy and
transparent way to fly, that work now, all the time, and have clear
business drivers behind them for auth tracking (and working now, all
the time).

Many modern web 2.0 products use cookies for auth = tracking, not auth
= confidentiality.

I never said cookies should go away.  I merely want cookies to stop
being used for managing authenticated sessions in most applications.
Some applications may still require that flexibility, however, and for
those they can be more carefully audited.

The majority of internet users use modern apps where auth = "identity
tracking and sharing", and statistics support this.

These same users will readily glue their private, regulated,  banking
apps together with Farmville in some mad web 2.0 gadget-ridden mashup,
that is cross-domain shared and scripted by default. Which is one area
cookies rule.

Well, sure, they do currently rule.  There's no reason HTTP
authentication can't be used to authenticate a cross-origin unified
identity.

I'm going to drop out of this thread as we are at a point where we
disagree on premise, and possibly ideology.

I'm fine to agree on disagreeing as well.

Cheers,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]