Vulnerability Development mailing list archives
Re: Single SignOn
From: vamprella () CHICKMAIL COM (Vanna P. Rella)
Date: Thu, 24 Feb 2000 11:44:10 -0800
On Thu, 24 Feb 2000 12:21:07 Ben Grubin wrote:
Good lord, I hope this saves you a lot of trouble.
It sure has! Thank you so much for responding :)
The enCommerce application is unbelievably shaky. Security wise, since it utilizes CORBA services in a multi-tier method, it becomes hellishly unhappy to firewall between the CORBA service providers and the clients (such as the Netscape Enterprise Server plugin), it's use of UDP also makes this challenging.
Wow, didn't realize it's using UDP. UDP is traditionally insecure. However, if they're using crypto APIs, wouldn't that solve the problem? OK, let me see if I understand this correctly in really super easy basic terms. The client says "hey, I wanna sign on to your super cool site" GetAcecss sends a request going through ORB to the Client Implementation. A reply is made from the server behind the firewall (holding all types of Phun things) opening UDP ports to talk to the client in the Internet Cloud. Does multi-tier method mean that it
More importantly though, they used CORBA without a real need---it's overly complex.
The only thing I know about CORBA is that it stands for Common Object Request Broker Architecture. My concerns were originally about using cookies for authentication. Although they'd be 'encrypted' there are still problems with cross-site scripting, stealing cookies, replacing cookies, etc. Best practices states that cookies are not a Good Thing(tm) when security is a concern. However, I don't really know any other alternative. But now with this whole Corba thing on top of it ... We did a major ecommerce financial
implementation, and found it's scalability *severely* lacking. We're probably 15 patchlevels ahead of the standard distribution, and even then it's the most common component failure in the entire system.
This is great information. In their presentation, they stated something about how UPS uses the service and they're getting massive hits and using only one box. They made it seem like scalability wasn't an issue. It was one of their selling points.
At it's core, it's simply an immature product, much like the rest of the space, but it does have potential. I do not have experience with the IBM product to compare it.
So, have you worked with any products that were good? Which product would you recommend?
Hope it helps, Cheers, Ben --- Benjamin P. Grubin / bgrubin () scient com - PGP key available Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230 Scient -- Be Legendary / http://www.scient.com/ ticker://SCNT
*********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com ***********************************
Current thread:
- Re: Single SignOn Ben Grubin (Feb 24)
- <Possible follow-ups>
- Re: Single SignOn Vanna P. Rella (Feb 24)
- Re: Single SignOn Ben Grubin (Feb 24)
- Re: Single SignOn Diane Davidowicz (Feb 25)
- IIS4 / WAP vulnerability? Bjørnar B. Larsen (Feb 25)
- Re: Single SignOn Zev Lavon (Feb 25)
- Re: Single SignOn Erwin Geirnaert (Feb 28)