Vulnerability Development mailing list archives
Re: Single SignOn
From: BGrubin () SCIENT COM (Ben Grubin)
Date: Thu, 24 Feb 2000 13:54:00 -0600
-----Original Message----- From: Vanna P. Rella [mailto:vamprella () chickmail com] Sent: Thursday, February 24, 2000 2:44 PM To: Ben Grubin Cc: VULN-DEV () SECURITYFOCUS COM Subject: RE: Single SignOn Wow, didn't realize it's using UDP. UDP is traditionally insecure. However, if they're using crypto APIs, wouldn't that solve the problem?
UDP in and of itself is not insecure, but since it's connectionless you have less opportunity to be nice and stateful on the firewalls. Additionally, I don't know what type of environment you will be working with, but most major financial house security policies prohibit passing UDP over firewalls. This may not be a big deal in your environment, but it was in ours.
OK, let me see if I understand this correctly in really super easy basic terms. The client says "hey, I wanna sign on to your super cool site" GetAcecss sends a request going through ORB to the Client Implementation. A reply is made from the server behind the firewall (holding all types of Phun things) opening UDP ports to talk to the client in the Internet Cloud. Does multi-tier method mean that it
Somewhat. The CORBA services and client services can coexist on a single machine, or in the same layer as the clients are in (as in not separated by a firewall), which is what we had to do to avoid the UDP issues. This is "not good" since you want your object repository not to be exposed to the internet, since it presents a greated risk factor than say---someone owning a web server. What happens is you access a client plugin (i.e. through a netscape web server), which then generates an authentication request to the CORBA repository (hello VISIBROKER) this is the UDP request. This request is eventally passed to what enCommerce calls the "SMS" which is a service who's responsibility it is to maintain session state. This service generates the cookie which is sent back to the client. The cookies are implemented properly. Encrypted and stateless. I have no security problem with that at all.
More importantly though, they used CORBA without a real need---it's overly complex.The only thing I know about CORBA is that it stands for Common Object Request Broker Architecture. My concerns were originally about using cookies for authentication. Although they'd be 'encrypted' there are still problems with cross-site scripting, stealing cookies, replacing cookies, etc. Best practices states that cookies are not a Good Thing(tm) when security is a concern. However, I don't really know any other alternative. But now with this whole Corba thing on top of it ...
CORBA is just a mess. It's a huge overbuilt standard that theoretically should support extreme scalability, but the visibroker crap is just poorly implemented and broken. In a perfect world, when you need to distribute SSO services over a massive network, CORBA can be a boon, making it simple to replicate and maintain authentication services over a wide area, but in most implementations this is rarely required. Because of the complexity of the visibroker/CORBA services, they end up being more trouble than they are worth 98.6% of the time (IMHO). Of course, the functionality *may* be useful in your environment. Dunno.
We did a major ecommerce financialimplementation, and found it's scalability *severely* lacking. We're probably 15 patchlevels ahead of the standard distribution,and even thenit's the most common component failure in the entire system.This is great information. In their presentation, they stated something about how UPS uses the service and they're getting massive hits and using only one box. They made it seem like scalability wasn't an issue. It was one of their selling points.
Marketing.
At it's core, it's simply an immature product, much like therest of thespace, but it does have potential. I do not have experiencewith the IBMproduct to compare it.So, have you worked with any products that were good? Which product would you recommend?
Unfortunately, the entire space is mostly immature. I tend to like the more generalized directory services implementations over specialized SSO product. I specifically like X.500 based services like NDS, and to a limited extent, LDAP, but YMMV. Cheers, Ben --- Benjamin P. Grubin / bgrubin () scient com - PGP key available Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230 Scient -- Be Legendary / http://www.scient.com/ ticker://SCNT
Current thread:
- Re: Single SignOn Ben Grubin (Feb 24)
- <Possible follow-ups>
- Re: Single SignOn Vanna P. Rella (Feb 24)
- Re: Single SignOn Ben Grubin (Feb 24)
- Re: Single SignOn Diane Davidowicz (Feb 25)
- IIS4 / WAP vulnerability? Bjørnar B. Larsen (Feb 25)
- Re: Single SignOn Zev Lavon (Feb 25)
- Re: Single SignOn Erwin Geirnaert (Feb 28)