Re: Intacct.com: Multiple bugs at financial services company

[Rob Mayoff <mayoff () DQD COM>]

+---------- On Sep 6, Chris L. Mason said:
| If you use a form-based system to allow logins, what's to stop someone from
| writing a new browser, or modifying an existing one (or using a plug-in,
| or proxy) to automatically re-submit the form every 5 minutes so that the
| user doesn't have to login manually?

Nothing will stop you from doing so. But that is completely irrelevant.

We're not talking about preventing you from writing a client that
misbehaves. We're talking about preventing malicious web sites from
mounting attacks on other web sites via the client. So we only care
about the behavior of clients people actually USE, starting with the
most popular clients. You own custom browser is irrelevant because only
you use it, and you've purposely made it less secure.

The goal is to protect the vast, naive majority from cross-site
scripting. HTTP authentication makes that difficult, because there's no
way to tell the client to time out or forget the authentication data.
You can send a 403 Forbidden response, which (in Netscape at least)
will make the browser forget its authentication, but then the browser
will immediately prompt the user to re-enter his username and password.
This will confuse a lot of users, who will very likely re-enter their
credentials, leaving themselves logged in.

| I wish companies would focus on providing services as secure as possible at
| their end.  You only control *your* systems, so focus on securing *them*.
| I think if you consider the benefits to yourselves and your customers it
| should be obvious which architecture is better.

The architecture of HTTP authentication, and the current implementations
of it, are insufficient for secure services.