WebApp Sec mailing list archives

Re: Problems with most web app auth schemes

From: "George W. Capehart" <gwc () capehassoc com>
Date: Mon, 28 Jul 2003 17:04:46 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 27 July 2003 09:17 pm, Tim wrote:

<snip>

The thing is, the vast majority of web applications do no
authentication upon signup.  None at all.  You set up a yahoo
account, do they care if you are really John Q. Doe?  No. But once
you do have an account, and you start *using* that account, and
people begin to implicitly think that the email address you use is
actually you, whether you ever state your name or not.  That is how
humans are.  Currently though, systems are pretty easy to attack even
after the account is set up.

So, the point is, you could sign up for a yahoo account with a
private key, associate it with your new yahoo email address, and
there we have it.  A good authentication system based upon the
initial signup.  (and only as good as the initial setup)


Hi Tim,

This is a *very* good point.  I totally missed it in your first post.  I 
totally share your concern about this!

You do bring up a good point, that is, another poster in this
discussion stated "Authentication is easy".  This is totally bogus. 
The most difficult part of any of this is identifying who you are
talking to upon first contact.  This is why your CAs will do so much
(probably not enough) checking on your identity when you buy a cert. 
So yeah, this is a really hard problem.


Which is what the CAs and RAs were supposed to solve . . . Not sure 
we're all the way there yet . . . ;->


But, this isn't the problem most people want to solve.  And there is
no reason why people shouldn't have the option to use a public key
system for website authentication.  It just makes sense.  That way,
the system will no longer rely on the technical security of your
apps, it will merely rely on the amount of verification the
administrators decide to employ upon sign-up.  They should have the
ability to pick a PKI of their own.  (Should a decent standard for
those exist some day. =)


I totally agree that using digital certs for authentication is a 
reasonable option . . . I personally like it much better than the usual 
zero- or single-factor schemes typically in use.


Regards,

George
- -- 
George W. Capehart

"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/JY/3PhMbfSg3fpARAnItAJ9pcq+POC+hLXPqw3IuUxKxWxl4DwCgza19
Leqn3fGoA/POWTTA3GiCvLY=
=0Q4v
-----END PGP SIGNATURE-----

Current thread:

Problems with most web app auth schemes Kevin Spett (Jul 26)
- Re: Problems with most web app auth schemes Erik Kangas, PhD (Jul 26)
- Re: Problems with most web app auth schemes Brant Langer Gurganus (Jul 27)
  - Re: Problems with most web app auth schemes Tim (Jul 27)
    - Re: Problems with most web app auth schemes George W. Capehart (Jul 27)
    - Re: Problems with most web app auth schemes Tim (Jul 27)
    - Re: Problems with most web app auth schemes George W. Capehart (Jul 28)
  - Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- <Possible follow-ups>
- RE: Problems with most web app auth schemes Cowles, Robert D. (Jul 27)
  - Re: Problems with most web app auth schemes Ingo Struck (Jul 27)
- Re: Problems with most web app auth schemes webappsec (Jul 28)
- RE: Problems with most web app auth schemes Brass, Phil (ISS Atlanta) (Jul 29)