Obfuscation of url LINKS - Pitch in ?

nlarson

I agree Tom, there is a convenience factor which is slick, but even beyond that anyone storing personally identifying information for users in the US or EU should use these features. There are many Laws which have sharp teeth going on the books about personal data. I am sure that applies else where too.

For example, I noticed one of our members has a debt collection app. If that has info like SSNs, account numbers, etc. stored in it for any resident of Massachusetts and said data it gets transmitted without encryption the businesses using and/or providing the service could face fines of up to $25,000 per incident with no damage cap thanks to MA 201 CMR 17 (http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf). While it is unlikely to be noticed, the risk if detected is huge!

That's just one simple example, it is easy to come up with many more. IMHO security best practices need to be a high priority on any software roadmap.

tford

Excellent point Njal.

I do not use the URL strings that AwareIM currently supports due to the risks involved.

nlarson

That's the thing, login strings are a red herring, unless you are forcing https the login data (and all subsequent data) is being transmitted plain text...

Here is the RAW post from the login form. I partially obscured my info before posting, but this goes out for anyone to grab.

POST http://69.64.XX.XXX:8080/AwareIM/logonOp.aw HTTP/1.1
Host: 69.64.65.235:8080
Connection: keep-alive
Content-Length: 69
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: http://69.64.65.235:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://69.64.65.235:8080/AwareIM/logonOp.aw
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=46A4FAE2756B4164AD085F22A3420E60

userName=njXXXXXXXoal.com&password=JaXXXXXX0&domain=%3Cdefault%3E

[/code]

RocketRod

Happy to pitch in.

Cheers Rod

hpl123

I am also in on this as I have stated before. The advanced security features would be IDEAL and we could possible ask Awaresoft for a quote?

Nevertheless, the "cloak" solution is better than nothing and if the ideal solution doesn´t go anywhere in the nearest future, the cloak solution could be a good start.

nlarson

There is obviously a good deal of interest in bringing security in line with current best practices. Support would you mind contributing your thought on the subject? Is what we have described possible? on the road map? maybe even ballpark costs?

Thanks.

aware_support

There seem to be quite a few issues raised here, so let's stay focused and not discuss persistent cookies and making SSL setup easier here (separate topics can be raised for this if necessary).

As far as security is concerned, there seem to be two issues here:
1) Aware IM links are not secure enough. Fair point.
2) Communication between the client and server is not secure.

Regarding 2). If you want this communication to be secure then you must use https and SSL - this is what it is for. So unless I am missing some important point here, let's not discuss 2) here, either.

Regarding 1). The "cloak" solution which involves Base64 with XOR shifting is fairly easy and can be included in 5.7. You will have a function that will encode all the information in the link:
http://locahost:8080/AwareIM/logonOp.aw?e=abdrrjafdee....

where everything after e= will be an encrypted representation of the proper link parameters like:
domain=Blah&userName=blah&password=blah&firstCommand=blah

To achieve the encryption you will use this function in your configuration when generating the link:
ENCODE_LINK ('domain=....')

Aware IM will automatically decrypt the encrypted link.

Later on we can increase strength of encoding to use 128-bit DES encryption with parameter e2=... and the function ENCODE_LINK2

Please provide your comments ASAP. 5.7 is nearly ready. If this is something that you can live with, it will be included in 5.7 straight away.

tford

Excellent!

Thanks once again for your clarity & responsiveness.

hpl123

Sounds great and lika a good plan. I'm all for it.
Thanks support

RocketRod

I dont understand how this would work with users logging in with the various login types that are currently available but I admit I know very little about this stuff. I can see how it works if I sent a URL to a user say via an email as I use the function in a process to encode it but logging in with the standard login scripts with their various parameters? How does that work?

So I leave it to others who know more about this.

Cheers Rod

aware_support

Nothing will change. There will just be an additional way to use Aware IM login links. This one will only use ONE parameter and it will have all other parameters encrypted inside this one.

RLJB

I think this would be good and helps hide some info like the domain and the first process name etc.

But... This is really only useful for guest login right? You can't use it for normal users as you would need to know their password (which is encrypted in the db so you can't use it in the URL - could you?)

I'm curious how others are going to make use of this?

nlarson

RLJB wrote
I'm curious how others are going to make use of this?

No value for me. Hard to discuss a security without discussing the points which have labeled 'let's not discuss'. I'll start up another topic.

Rennur

I'd like to see the ENCODE_LINK function included in 5.7. Useful.

RLJB

Ok, I just configured a situation where this would be useful.

I am emailing this once a month to customers:

http://mydomain.com/Start/logonGuest.aw?domain=BIG&firstCommand=startProcessWithInit,SPlan_EnterSales,main,SPlan&CustomerNumber=0001

It would be good not to show any "readable" info (like CustomerNumber).

It would be even better if I could actually log the user in as themselves not just as a Guest.

Rennur

How vulnerable would the link below be if using a secure SSL and encoded with the new Aware encryption function?

https://mydomain.com/Start/logonOp.aw?domain=BIG&userName=Admin&password=password&firstCommand=startProcessWithInit,SPlan_EnterSales,main,SPlan&CustomerNumber=0001

1) If the encryption is decoded through Aware, can the encrypted contents be decoded using 3rd party software?

2) Can we generate our own custom encryption key so that the link cannot be decoded by another AwareIM system?

Also, encryption would be useful for use with iframes 🙂

nlarson

Rennur wrote
How vulnerable would the link below be if using a secure SSL and encoded with the new Aware encryption function?

The situation you describe is a bit like mixing metaphors. SSL protects the data transmitted durning the session, but it has nothing really to do with protecting the link except when the link is transmitted data. In this case would only be when a user clicks it, At all other times it would be vulnerable to anyone who can hack base 64 (which is everyone with internet acess... http://www.base64decode.org/).

So, It would be well protected from 3rd party hijacking of session data but pretty easily abused by anyone who ever gains access to the link.

Also, not sure if you were just using your info as an example, but using your admin account for this type of feature increases you risk substantially, as does using the default UID/Password. With that info they could do real and irreparable damange, not just real other user data.

RLJB

Further to the above, re using admin and password.... How can you do this since you don't know your users passwords in the system as they are encrypted?

As far as I understand it, we're talking only about guest access for this function? Please tell me if I misunderstood.

Rennur

Thanks for the explanation and pointing out the flaws in my post.

not sure if you were just using your info as an example, but using your admin account for this type of feature increases you risk substantially

The admin/password combination was an example & I should never be published for obvious reasons.

In this case would only be when a user clicks it, At all other times it would be vulnerable to anyone who can hack base 64 (which is everyone with internet acess... http://www.base64decode.org/).

Support mentioned a e2 function 128bit encryption. I thought this would not be the base64 mask but a proper encryption.

Further to the above, re using admin and password.... How can you do this since you don't know your users passwords in the system as they are encrypted?

This has completely slipped my mind :oops:.
I guess the only way is for the user to be directed to the login page and continue once logged in.

As far as I understand it, we're talking only about guest access for this function?

I believe so.

Cheers

nlarson

Rennur wrote
Support mentioned a e2 function 128bit encryption. I thought this would not be the base64 mask but a proper encryption.

Yes, that was mentioned as a possible future iteration.

As far as I understand it, we're talking only about guest access for this function?

As an alternative to opening up large sections of your apps to guest access, You could create a registered user and/or access level for specifically for this function. It's not perfect, but it adds one more layer or protection.

« Previous Page Next Page »