[TYPO3-50-general] Proposal for a RSA authentication provider/mechanism
Bastian Waidelich
bastian at typo3.org
Sat Jan 3 17:15:43 CET 2009
Andreas Förthner wrote:
Hi Andi and happy New Year!
> Possible attack vectors
I'm not an expert when it comes to authentication, but I'll gladly add
my 50 cent (:
> - We cannot secure the browser; I see no simple solution against key
> loggers and so on. (Graphical keyboards are not very usable, right?)
Even though that would be nice, it will never be 100% possible and
hopefully nobody's gonna expect that..
But it's an interesting topic and there are some interesting approaches
out there (e.g. https://myvidoop.com/videos/signin-to-account)
> - Message 1-3 from above shouldn't make any problems if someone reads
> them, right?!
If you only send a positive feedback when a valid username was given,
this could be abused to discover BE usernames which might be problematic..
> - Replaying message 4 won't authenticate the user, as the challenge is
> no longer valid.
How do you plan to assure that a challenge is only valid for one
request? And will you include some kind of identifier (OS, Browser,
Cookie) to make sure it's the same client?
> (Man-in-the-middle attack).
I remember we were talking about this during the Transition Days. If
there is a "man in the middle", he could simply provide you with a
"fake" login page anyways..
> The only thing to avoid that, would be
> message authentication (HMAC) but that requires a shared secret between
> client and server or client certificates, which is probably not
> manageable for most people.
It would be great to support client certificates as an optional feature,
but I have no idea how complex that'd be.
> - We definitely need JavaScript, which might be a bit ugly for "FE" Logins.
Yeah, that's a pitty and we should definitely add an obvious
noscript-warning to the login page!
But providing a fallback solution is probably similar to hiding a copy
of your hi-tech safety key under the doormat ;)
Good luck with the implementation, I'll happily betatest anything!
Bastian
More information about the TYPO3-project-5_0-general
mailing list