Obfuscation of url LINKS - Pitch in ?

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Post by aware_support »

Nothing will change. There will just be an additional way to use Aware IM login links. This one will only use ONE parameter and it will have all other parameters encrypted inside this one.
Aware IM Support Team
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Post by RLJB »

I think this would be good and helps hide some info like the domain and the first process name etc.

But... This is really only useful for guest login right? You can't use it for normal users as you would need to know their password (which is encrypted in the db so you can't use it in the URL - could you?)

I'm curious how others are going to make use of this?
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

RLJB wrote:I'm curious how others are going to make use of this?
No value for me. Hard to discuss a security without discussing the points which have labeled 'let's not discuss'. I'll start up another topic.
Rennur
Posts: 1191
Joined: Thu Mar 01, 2012 5:13 am
Location: Sydney, Australia

Post by Rennur »

I'd like to see the ENCODE_LINK function included in 5.7. Useful.
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Post by RLJB »

Ok, I just configured a situation where this would be useful.

I am emailing this once a month to customers:

http://mydomain.com/Start/logonGuest.aw ... umber=0001

It would be good not to show any "readable" info (like CustomerNumber).

It would be even better if I could actually log the user in as themselves not just as a Guest.
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
Rennur
Posts: 1191
Joined: Thu Mar 01, 2012 5:13 am
Location: Sydney, Australia

Post by Rennur »

How vulnerable would the link below be if using a secure SSL and encoded with the new Aware encryption function?

https://mydomain.com/Start/logonOp.aw?domain=BIG&userName=Admin&password=password&firstCommand=startProcessWithInit,SPlan_EnterSales,main,SPlan&CustomerNumber=0001

1) If the encryption is decoded through Aware, can the encrypted contents be decoded using 3rd party software?

2) Can we generate our own custom encryption key so that the link cannot be decoded by another AwareIM system?

Also, encryption would be useful for use with iframes :)
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

Rennur wrote:How vulnerable would the link below be if using a secure SSL and encoded with the new Aware encryption function?
The situation you describe is a bit like mixing metaphors. SSL protects the data transmitted durning the session, but it has nothing really to do with protecting the link except when the link is transmitted data. In this case would only be when a user clicks it, At all other times it would be vulnerable to anyone who can hack base 64 (which is everyone with internet acess... http://www.base64decode.org/).

So, It would be well protected from 3rd party hijacking of session data but pretty easily abused by anyone who ever gains access to the link.

Also, not sure if you were just using your info as an example, but using your admin account for this type of feature increases you risk substantially, as does using the default UID/Password. With that info they could do real and irreparable damange, not just real other user data.
RLJB
Posts: 914
Joined: Tue Jan 05, 2010 10:16 am
Location: Sydney, Australia

Post by RLJB »

Further to the above, re using admin and password.... How can you do this since you don't know your users passwords in the system as they are encrypted?

As far as I understand it, we're talking only about guest access for this function? Please tell me if I misunderstood.
Rod. Aware 8.6 (latest build), Developer Edition, on OS Linux (Ubuntu) using GUI hosted on AWS EC2, MYSQL on AWS RDS
Rennur
Posts: 1191
Joined: Thu Mar 01, 2012 5:13 am
Location: Sydney, Australia

Post by Rennur »

Thanks for the explanation and pointing out the flaws in my post.
not sure if you were just using your info as an example, but using your admin account for this type of feature increases you risk substantially
The admin/password combination was an example & I should never be published for obvious reasons.
In this case would only be when a user clicks it, At all other times it would be vulnerable to anyone who can hack base 64 (which is everyone with internet acess... http://www.base64decode.org/).

Support mentioned a e2 function 128bit encryption. I thought this would not be the base64 mask but a proper encryption.
Further to the above, re using admin and password.... How can you do this since you don't know your users passwords in the system as they are encrypted?

This has completely slipped my mind :oops:.
I guess the only way is for the user to be directed to the login page and continue once logged in.
As far as I understand it, we're talking only about guest access for this function?
I believe so.

Cheers
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

Rennur wrote: Support mentioned a e2 function 128bit encryption. I thought this would not be the base64 mask but a proper encryption.
Yes, that was mentioned as a possible future iteration.
As far as I understand it, we're talking only about guest access for this function?
As an alternative to opening up large sections of your apps to guest access, You could create a registered user and/or access level for specifically for this function. It's not perfect, but it adds one more layer or protection.
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

I think this is excellent, its a step in the right direction, the ultimate would of course be the e2 function 128bit encryption. As much as it is easy to decode its still better than an exposed link - there are numerous reasons for this

As to whether this is only for a guest login, no .... its for any url that is sent to a user of the system

I think mailing embedding passwords in a link is totally wrong and a bad practice.Communication of any password should force the user to go through a reset of the password when logging in for the first time. This way the password always remains secure

If a NON guest user is sent a link then they must login first and then connect to the link, (that's if they are not already logged IN ). If you are mailing a Guest user and you require security around the process then they should not be a Guest user. However there could be a case where a Guest user can second guess other records from the make up of the url and access these records (like getting a list of the users being mailed)

I see this encryption purely for the purpose of hiding the process from anyone wanting to snoop and poke around and got nothing to do with protecting passwords. This goes for all users

One of the other things that come to mind is the use of PROTECT as a mechanism to secure data from other users. What if I am using one of the "Make Invisible" or "Hide" or "Applicability" features, does this have the same PROTECT vale of security - I don't think so (maybe support can confirm) But if this is the case a user with a valid login could begin to snoop around the system by second guessing custom url LINKS. That includes custom buttons and url links on forms
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

ACDC wrote:I think mailing embedding passwords in a link is totally wrong and a bad practice.Communication of any password should force the user to go through a reset of the password when logging in for the first time.
I agree with your concept 100% - but I don't see how it can be implemented without a straight forward and officially supported methodology for SSL encryption in AwareIM. Without SSL Passwords are sent in clear text every time a user logs in, might as well email them, it's the exact same thing.

The hide/applicability should not be considered secure; the data is sent to the client but not rendered by the browser. Also Protect, does not work for documents so that is only partially secure.
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

Nlarson wrote:
but I don't see how it can be implemented without a straight forward and officially supported methodology for SSL encryption in AwareIM.
I use SSL encryption all the time, I am not sure what you mean by an officially supported methodology, but its very easy to setup SSL on Awareim, what more do you need ?
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

ACDC wrote:I use SSL encryption all the time, I am not sure what you mean by an officially supported methodology, but its very easy to setup SSL on Awareim, what more do you need ?
I have been struggling to get it working, but will continue to have at it; the post I am working from is a few years old so good to know it is still relevant.

By officially supported I mean a method that does not get 'wiped out' and require the heavy effort I have put in by each Aware upgrade, i.e. a feature of Aware.

My understanding is that the setting will not endure an upgrade, is that not the case? I am not looking to be a stick in the mud on this subject, so if I am mistaken that would be welcome news :)
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Post by ACDC »

There is always going to be customised settings and the way to handle this is to keep a directory of the changes that need to take place and when doing the upgrade copy over the files into the new install, This is very painful I know but in the bigger scheme of things the time saved using this development tool far outweighs the effort to copy over the custom settings on every upgrade.

SSL is part of the Tomcat setup

If you want to get SSL going check this link out (BTW you don't have to subscribe to an authenticator to get a secure link in place)

http://www.awareim.com/forum/viewtopic.php?t=3554
Post Reply