Educause Security Discussion mailing list archives
Re: Vulnerability? Or...not so much?
From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Sat, 3 Apr 2010 23:27:16 -0400
On Sat, Apr 03, 2010 at 09:35:58PM -0400, David Shettler wrote:
Unfortunately, the vendor refuses to acknowledge that the problem is a security issue, and thus won't remedy it. Their opinion is that the URI randomization, and 60 minute temporary nature of the files is sufficient 'security'.
If you think of the URI as a username/password, you probably already have Authentication/Authorization/Accounting standards for this situation. Think of the URI as a guessable part (the "username") and a non-guessable part (the "password"). If this were an application that provided users with a username/ password that was only good for 60 minutes, would it be acceptable? Does the "password" meet your standards? Is it sent over clear-text (http) or encrypted (https)? Do you have logging and brute force protection? Do you have a requirement that all authentication use a centralized system? A sixty minute password is worse than a one-time pad or two factor, but it's better than a password that is changed monthly. This might be better than your normal authentication, or it may be worse. There are a couple of issues that are specific to this situation: 1) The "passwords" may meet your requirements for user chosen passwords, but they may be guessable by someone who knows or reverse engineers the algorithm. Besides users of your system who may generate many URI's looking for a pattern, you need to worry about users of the same application software at other sites. 2) What if a future upgrade or patch of the software starts using easily guessable URI's? Bottom line: If you trust them not to dumb down the URI in the future, and the "password" meets your standards for guess-ability, logging, brute force protection, secure communication, etc... Then you have to consider the reduced risk of 60 minute disposable passwords vs the increased risk of passwords that are generated by an algorithm. I'm not opposed to passwords generated by an algorithm, if the algorithm is sufficiently random and has a large enough set of possible passwords. --- Chip Charles H. Buchholtz Director of Systems Programming chip () seas upenn edu School of Engineering and Applied Science http://www.seas.upenn.edu/~chip University of Pennsylvania "This letter is longer than usual, because I lack the time to make it short" --- Blaise Pascal
Current thread:
- Vulnerability? Or...not so much? David Shettler (Apr 03)
- <Possible follow-ups>
- Re: Vulnerability? Or...not so much? Jason Testart (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Matthew Wollenweber (Apr 03)
- Re: Vulnerability? Or...not so much? Gibson, Nathan J. (HSC) (Apr 03)
- Re: Vulnerability? Or...not so much? Dexter Caldwell (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Steve Werby (Apr 04)
- Re: Vulnerability? Or...not so much? SCHALIP, MICHAEL (Apr 04)
- Re: Vulnerability? Or...not so much? Vik Solem (Apr 05)