Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Problems with most web app auth schemes

Re: Problems with most web app auth schemes

From: George W. Capehart <gwc_at_capehassoc.com>
Date: Mon, 28 Jul 2003 17:04:46 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 27 July 2003 09:17 pm, Tim wrote:

<snip>

> The thing is, the vast majority of web applications do no
> authentication upon signup. None at all. You set up a yahoo
> account, do they care if you are really John Q. Doe? No. But once
> you do have an account, and you start *using* that account, and
> people begin to implicitly think that the email address you use is
> actually you, whether you ever state your name or not. That is how
> humans are. Currently though, systems are pretty easy to attack even
> after the account is set up.
>
> So, the point is, you could sign up for a yahoo account with a
> private key, associate it with your new yahoo email address, and
> there we have it. A good authentication system based upon the
> initial signup. (and only as good as the initial setup)
>

Hi Tim,

This is a *very* good point. I totally missed it in your first post. I
totally share your concern about this!

> You do bring up a good point, that is, another poster in this
> discussion stated "Authentication is easy". This is totally bogus.
> The most difficult part of any of this is identifying who you are
> talking to upon first contact. This is why your CAs will do so much
> (probably not enough) checking on your identity when you buy a cert.
> So yeah, this is a really hard problem.

Which is what the CAs and RAs were supposed to solve . . . Not sure
we're all the way there yet . . . ;->

>
> But, this isn't the problem most people want to solve. And there is
> no reason why people shouldn't have the option to use a public key
> system for website authentication. It just makes sense. That way,
> the system will no longer rely on the technical security of your
> apps, it will merely rely on the amount of verification the
> administrators decide to employ upon sign-up. They should have the
> ability to pick a PKI of their own. (Should a decent standard for
> those exist some day. =)

I totally agree that using digital certs for authentication is a
reasonable option . . . I personally like it much better than the usual
zero- or single-factor schemes typically in use.

Regards,

George
- --
George W. Capehart

"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/JY/3PhMbfSg3fpARAnItAJ9pcq+POC+hLXPqw3IuUxKxWxl4DwCgza19
Leqn3fGoA/POWTTA3GiCvLY=
=0Q4v
-----END PGP SIGNATURE-----
Received on Jul 28 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos