Re: [Gnumed-devel] GNUmed web interface - authentication

[Karsten Hilbert]

For the record so it's in the archive:

While the concerns Richard raises here are certainly valid
they do not affect the standard GNUmed client at all.

Karsten Hilbert

On Thu, Oct 07, 2010 at 10:44:49AM +0100, Richard Taylor wrote:
> Date: Thu, 07 Oct 2010 10:44:49 +0100
> From: Richard Taylor <address@hidden>
> To: address@hidden
> Subject: [Gnumed-devel] GNUmed web interface - authentication
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
>       rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
> 
> Hi
> 
> Quick introduction: I just stumbled over GNU Med (followed a link from
> Linux Weekly News). I am a Python programmer and I have some experience
> of working on security issues in medical systems. I know very little
> about GNUmed, so please forgive me if I am say something that you are
> all fed up with discussing already :-)
> 
> I was looking through the mailling list archive and got reading about
> the design of the web interface. I was interested to read about your
> decision to go with Pyjamas (cool system) and the problems you were
> having with per-user authentication to the Postgres database.
> 
> I have a couple of observations about your chosen solution (please feel
> free to ignore me):
> 
> It looks to me that there is a security problem with using session
> cookies as the method of linking the user identity to the database
> connection between requests. The concern is that it would be quite easy
> to steel the cookie (either by monitoring the network or by pulling it
> from the browser cookie store) and then hijacking the session. This
> could be partly mitigated if the proxy checked that the cookie was
> coming from the same IP address that it was originally supplied to, but
> this is still a problem if there is a NAT in the way. There is also a
> problem that the proxy gets to see everyone's username and password, in
> the clear. So if the proxy were subverted it would provide access to
> everyone's credentials.
> 
> I wonder if you considered using TLS client certificates to provide the
> persistent identity? Browsers now support client certificates quiet
> well. The web server can be configured to require the a client
> certificate and the application can access the 'Subject' of the client
> cert for each request. So the server can map from the 'Subject' to a
> cached database connection. This approach would also mean that a user
> could move between client machines and still get connected to their open
> database connection because the 'Subject' would still be the same.
> 
> Clearly the TLS approach has an overhead in the issuing and management
> of certificates and this might be unacceptable in your user context.
> 
> I believe that TLS certificates are the direction that is being pursued
> in the UK for single-sign-on across all medical systems. Although I have
> no idea whether this strategy will survive the impending reorganizations.
> 
> I wish the GNUmed team all the best with your endeavors.
> 
> Regards
> 
> Richard
> 
> 
> _______________________________________________
> Gnumed-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnumed-devel

-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346