[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnumed-devel] GNUmed web interface - authentication
From: |
Sebastian Hilbert |
Subject: |
Re: [Gnumed-devel] GNUmed web interface - authentication |
Date: |
Thu, 7 Oct 2010 20:54:02 +0200 |
User-agent: |
KMail/1.13.5 (Linux/2.6.34.7-0.3-default; KDE/4.5.2; i686; ; ) |
On Thursday 07 October 2010 11:44:49 Richard Taylor wrote:
> Hi
>
Richard,
Thanks for your comments.
> Quick introduction: I just stumbled over GNU Med (followed a link from
> Linux Weekly News). I am a Python programmer and I have some experience
> of working on security issues in medical systems. I know very little
> about GNUmed, so please forgive me if I am say something that you are
> all fed up with discussing already :-)
>
nah :-)
> It looks to me that there is a security problem with using session
> cookies as the method of linking the user identity to the database
> connection between requests. The concern is that it would be quite easy
> to steel the cookie (either by monitoring the network or by pulling it
> from the browser cookie store) and then hijacking the session.
That is indeed a problem.
> This
> could be partly mitigated if the proxy checked that the cookie was
> coming from the same IP address that it was originally supplied to, but
> this is still a problem if there is a NAT in the way. There is also a
> problem that the proxy gets to see everyone's username and password, in
> the clear. So if the proxy were subverted it would provide access to
> everyone's credentials.
>
True. One might argue that when the attacker gets access to the proxy she can
grab the database and do whatever he wants. Still you got a point here.
> I wonder if you considered using TLS client certificates to provide the
> persistent identity?
We did not because at least I am not an expert in this field.
> Browsers now support client certificates quiet
> well. The web server can be configured
does this mean Apache ? we use an python web server but I get a combination
with Apache could be set up. I lack the skills in this field.
> to require the a client
> certificate and the application can access the 'Subject' of the client
> cert for each request. So the server can map from the 'Subject' to a
> cached database connection. This approach would also mean that a user
> could move between client machines and still get connected to their open
> database connection because the 'Subject' would still be the same.
>
This sounds good but I am afraid I don't have the skills to implement this. I
hope Luke can comment on that issue.
> Clearly the TLS approach has an overhead in the issuing and management
> of certificates and this might be unacceptable in your user context.
>
To the contrary. The medical field does not suffer that much from a large
flood of new users in a short timeframe so I don't see a problem.
> I believe that TLS certificates are the direction that is being pursued
> in the UK for single-sign-on across all medical systems. Although I have
> no idea whether this strategy will survive the impending reorganizations.
>
I welcome the discussion and hope it will lead to a secure solution. For the
moment I am more then happy that we have a working solution. If anyone wants
to implement the proposed solution I would be the last one to block any
effort.
> I wish the GNUmed team all the best with your endeavors.
>
Thanks,
Sebastian