[mod_python] Authentication and security in general

Dan Eloff dan.eloff at gmail.com
Tue Apr 25 14:53:53 EDT 2006 

This is maybe a little off topic, but I got to thinking and reading
about authentication and security.

I learned a few things that concern me and I'd like to discuss them.

Basic Authentication works by sending the username/password on every
request, which means anyone along the route with a packet sniffer (in
my house, or at my work, at the isp, etc) can easily glean the
password and username. Digest Auth is no better, it just means the
crook has to be somewhat technically savy because you can't use the
browser to make requests. Big deal, I was doing that as a teenager.

If you use SSL, then everything get's encypted and it's secure. But
change the https:// to http:// in the browser, or click a link given
to you that does the same and your username/password are transmitted
in the clear again. So a little more complex for an attacker, now he
has to get you to visit a special url. Simply devise a website, use
the location: header, and you can steal a person's login (and thus
probably their identity) if they are currently logged in somewhere and
visit your site AND you are monitoring their communications. That's
extremely unlikely for a random attacker, but easy enough for people
you work with, so using http authentication isn't very secure unless
there is a way to stop browsers from sending your user/pass in the
clear.

Cookies are a little better, you can use secure to make sure they are
only sent over SSL connections, so you have the effect that the user
is logged in only when viewing https:// pages, and not anywhere else.
That complicates things unless you always use SSL for every page a
user views when logged in.

But few places do that. I know gmail doesn't, I'm looking at my SID
right now, attached to an unsecured cookie and passed in the clear.
It's good for two weeks. So a week from now some hacker could check up
on his packet sniffer, and find it gleaned my SID, and gain access to
my gmail account. Perhaps gmail adds a few checks for security, such
as rejecting the session if it comes from a different IP than it
originated from (maybe a good idea for mod_python sessions?). It's
unlikely that this attacker has managed to send the request from my IP
address unless he's at my ISP or he's on the same network (at work, at
a public network when I check my email from my laptop) But that could
be a lot of people. Anybody who can access my email, will with some
ingenuity be able to access almost every website I previously thought
of as secure.

Surely it can't be all that easy? There must be some tricks for
securing things that I'm not aware of. Something I'm misunderstanding?

-Dan

More information about the Mod_python mailing list