Re: [Gnumed-devel] GNUmed web interface - authentication

[Sebastian Hilbert]

On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
> Hi
> 
Richard,

Thanks for your comments.

> Quick introduction: I just stumbled over GNU Med (followed a link from
> Linux Weekly News). I am a Python programmer and I have some experience
> of working on security issues in medical systems. I know very little
> about GNUmed, so please forgive me if I am say something that you are
> all fed up with discussing already :-)
> 
nah :-)

> It looks to me that there is a security problem with using session
> cookies as the method of linking the user identity to the database
> connection between requests. The concern is that it would be quite easy
> to steel the cookie (either by monitoring the network or by pulling it
> from the browser cookie store) and then hijacking the session.

That is indeed a problem.

> This
> could be partly mitigated if the proxy checked that the cookie was
> coming from the same IP address that it was originally supplied to, but
> this is still a problem if there is a NAT in the way. There is also a
> problem that the proxy gets to see everyone's username and password, in
> the clear. So if the proxy were subverted it would provide access to
> everyone's credentials.
> 
True. One might argue that when the attacker gets access to the proxy she can 
grab the database and do whatever he wants. Still you got a point here.

> I wonder if you considered using TLS client certificates to provide the
> persistent identity? 

We did not because at least I am not an expert in this field.

> Browsers now support client certificates quiet
> well. The web server can be configured 

does this mean Apache ? we use an python web server but I get a combination 
with Apache could be set up. I lack the skills in this field.

> to require the a client
> certificate and the application can access the 'Subject' of the client
> cert for each request. So the server can map from the 'Subject' to a
> cached database connection. This approach would also mean that a user
> could move between client machines and still get connected to their open
> database connection because the 'Subject' would still be the same.
> 

This sounds good but I am afraid I don't have the skills to implement this. I 
hope Luke can comment on that issue.

> Clearly the TLS approach has an overhead in the issuing and management
> of certificates and this might be unacceptable in your user context.
> 

To the contrary. The medical field does not suffer that much from a large 
flood of new users in a short timeframe so I don't see a problem.

> I believe that TLS certificates are the direction that is being pursued
> in the UK for single-sign-on across all medical systems. Although I have
> no idea whether this strategy will survive the impending reorganizations.
> 

I welcome the discussion and hope it will lead to a secure solution. For the 
moment I am more then happy that we have a working solution. If anyone wants 
to implement the proposed solution I would be the last one to block any 
effort.

> I wish the GNUmed team all the best with your endeavors.
> 
Thanks,

Sebastian