Feature #897
back transmission and arguments encryption
| Status: | Closed | Start date: | 2008-06-28 | |
|---|---|---|---|---|
| Priority: | Could have | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Security | Spent time: | - | |
| Target version: | - | Estimated time: | 0.00 hour | |
| Votes: | 0 |
Description
Maybe I am a little paranoid when i goes about security ;)
But what do you think of encryption either arguments and the returned content.
So the invoke of service could looks like:
http://www.example.com/typo3conf/ext/remote_server/index.php?command=982934sdfasdfasdfssfsd9839458349545migumvg85utm49guvmsdigjsdifguysdnv57869586nbiurgymvuityew9r8
And the answer like: 89afansdfnasdiufasdf7as98df7as98dfnui9a8sdf878sd7fsdf
Advantages: (even if someone sniff packets)- Attackers can not see username and password
- Attackers can not see GET arguments
- Attackers can not even try to insert malicious GET arguments, because he can not make it encrypted with proper key.
- Attackers can not see returned content
Why not https? Because it is still easy to make "man in the middle attack".
History
Updated by Francois Suter almost 5 years ago
Interesting idea. How would that work? With public and private keys for each TYPO3 install? Do you have experience doing that kind of encryption?
Updated by Francois Suter almost 5 years ago
- Category set to Security
Updated by Xavier Perseguers almost 5 years ago
We could do this with a shared key and an authentication based on a digest. I did it recently and this is not very tricky and works well.
Updated by Krystian Szymukowicz almost 5 years ago
@Francois:
I do not think we will need public and private keys for each TYPO3. It is enough with one shared password/encryption key. I can not see any weakness in using one shared password.
@ Xavier:
Do we really need authentication based on a digest ? remote_server already does an standard TYPO3 based authentication so we need only to protect the data being send.
We can take advantage of the fact that the client already has encryption key.
Please take look at:
http://forge.typo3.org/wiki/extension-surveyserver/Encryption
I am not an security expert but as for now I can not see any security problem with my proposal above. Although it it complicates things a little.
Updated by Xavier Perseguers almost 5 years ago
The encryption is OK but I do not like the idea of sending a username+password although we already have a shared secret. As such, the password is not needed anymore. But you should also prevent a command to be intercepted and replayed. A command could be an insert or a delete a could have side effect if reexecuted out of context. As such, I would prefer a digest authentication where you do not need to transmit the password anymore and you have a nonce sent by the server that will enhance security while preventing replay attacks.
Updated by Krystian Szymukowicz almost 5 years ago
Yes you right Xavier that if intercepted then the command can be replayed and this can cause problems so the digest authentication seems to be right choice.
If we will use digest authentication then indeed there is no need to send username and the password in GET parameter.
But - and this is question to Francois I think - do we need to authenticate on BE users? Can we just have separate user/pass for remote_server?
Updated by Krystian Szymukowicz almost 5 years ago
- Subject changed from back transmision and arguments encription to back transmission and arguments encryption
Updated by Francois Suter almost 5 years ago
I must admit that I have no clue how digest authentication works. Xavier gave a link, but I don't have time to read that right now.
About remote server, it relies on BE users, yes. Obviously such a BE user can be a user with no other rights, but it has to be a BE user. I will have to take a look at digest authentication to see what would need to be changed in the remote server extension. I would to try and keep what I think it the main advantage of remote server: since it relies on standard TYPO3 auth services, it can use all the existing security features, no need to reinvent the wheel. Maybe it is just a question of creating a new auth service for digest authentication (don't know if that makes sense).
Updated by Krystian Szymukowicz almost 5 years ago
I just looked into TYPO3 authentication method challenge/superchallenge and I think it is some kind of digest authentication.
It could be nice if someone with more experience in this field can have look at it, will you Xavier?
Updated by Xavier Perseguers almost 5 years ago
Yes, I could look at it. BTW, I found an extension digestauth that authenticates BE users using digest...
Updated by Francois Suter 11 months ago
- Status changed from New to Closed
I'm closing all the related issues, since this is not developer anymore. Caretaker should be referred too instead: http://forge.typo3.org/projects/show/extension-caretaker