Security theater #1 - Using SSL for login

Heine — Fri, 22/08/2008 - 16:56

Update September 24, 2008 - Added a link to CVE-2008-3661 and "Fun Snags with Drupal Cookies"

Security theater consists of security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.

A quite popular activity among Drupal site owners and extension developers (drupal, firefox) is to make sure certain page requests happen over a secure HTTPS connection, whereas the majority of requests is still done over an unencrypted HTTP connection. User logins are typically the target of this effort.

Now, unless your really value your password (because you happen to be Ben Bernanke and use the same password for the documents holding the future interest rate), this is only going to give you a false sense of security. I know, it is still a very warm and comfy feeling, but it won't be so comforting when some clown sees Mike Perry's presentation and takes away your site.

The problem

The problem is rooted in the fact that whenever you access your Drupal site via HTTPS the session cookie is not automatically marked as being secure. This means that the browser will handout the same cookie when you access your site via HTTP. As it contains your session ID unencrypted, an adversary can now use the session ID to wreak havoc on your site. As you can see, all the security mumbo jumbo can be trivially bypassed. Miky Perry's tool makes it even easier to execute these kinds of attacks.

The solution (sort of)

You need to make sure session.cookie_secure is set for all HTTPS connections. How depends on your server setup, but Apache usually has different vhosts for these types of connections, so there's ample room for configuration. The browser will never send a cookie marked as secure over an HTTP.

The solution breaks a quite popular scenario (think security theater again): login via SSL, but access to other pages as an authenticated user via HTTP. This worked because the browser used the HTTPS cookie for HTTP connections. As we have seen, this is extremely bad.

There is currently no secure way to have mixed HTTP/HTTPS access to a site (unless you can live with being Anonymous on HTTP, of course).

Issue #170310

Now, what does issue #170310 —the talk of the day— fix?

When you do configure your webserver correctly and the HTTPS cookie is set to be secure, accessing your site via HTTP causes your HTTPS cookie to be overwritten. This means that you have to login again via HTTPS. The patch on #170310 fixes a mere annoyance, but does not improve or affect security in any way.

Post new comment

I reserve the right to edit any comment submitted to the site. If your comment contains flaming, advertisements, or simply too many spelling errors (leet speak), it may never appear.

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Subject:

Comment: *

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <as>, <as3>, <csharp>, <diff>, <drupal5>, <drupal6>, <html>, <js>, <mysql>, <php>, <phpbrief>, <python>, <sql>, <plain>, <xml>. Beside the tag style "<foo>" it is also possible to use "[foo]". PHP source code can also be enclosed in <?php ... ?> or <% ... %>.

More information about formatting options

Heine