Techie wannabe

I admit it. I'm a wannabe techie. I used to do hands on technical work, but that was back in another generation, as in before the internet. Now, it seems that most of my time is spent poking holes in requirements (and tell me again, why do you want to do this?) and cleaning them up so my engineers know what to code to. If I get technical, it's with the ops stuff, not into any code.

Speaking of a blast from the past. Remember VMS? I do. I'm glad Unix (and it's grown up rebellious spawn Linux) out-lasted it. I really didn't care for VMS, with all the privileges and quotas. But it used to be popular, so I had to learn it. I used to call VMS the Klingon of operating systems, because both were ponderous and stuck on ceremony. Also both have redundant systems. I can't quite remember but a second something (stomach?) saved Warf from certain death. Guess which species was MS-DOS? I leave that as an exercise to the reader.

So as a wannabe techie, it is with some trepidation I plunge into a description of a technical problem we are having. But it's an interesting problem, so I wanted to put it out there. We recently built a webservice with the thought of making it public for our users to use. Right now the only client is the web frontend that runs on our sites. The service mostly provides read-only data, *but* a client can do some writes. As one would expect we require a login-in (user id and password) for the writes, because we are keeping track of the data for each user. This of course means that the client has to pass the userid and password to the webservice. And here is the problem. We don't want the userid and password to be passed to the server in the clear.

The XWS security model seems to assume a peer to peer model rather than client/server. So you can secure the conversation, but only if each side has installed a certificate. This is fine for two servers. But what about a webservice that might have lots of clients ... prebuilt clients that might be used by non-technical users? Getting each user of a client to download the certificate and compile it in is not really an option.

It is interesting to look at how other webservices with clients have tackled this problem, ie. Amazon. They don't use a user id and password. Instead they generate a token for each client. The token is passed in the clear, but at least it is not a password. However not very secure.

The only solution we have come up with is to put the entire webservice under https. There seems to be no way to secure just some of the conversation to a webservice. But having everything under https is way expensive. Much more handshaking has to be done for each connection. If anyone has any bright ideas we are all ears.

Kathy

P.S. I know that some people have been asking about Alameda. Truth is I don't know much about it's status, as I have been reorged away and taken on new work. If I hear anything that I will pass it along.

Posted on: Sep 23, 2004

Posted by: KitchenSink

Category: archive

Permanent link to this entry

Comments:

I believe that the way OpenACS (openacs.org) does it is to send a cookie/token that is an SHA-1 sum of a set of values and compare that token with what is sent back on the next request.

There is a method to determine if the cookie has been tampered with, and the cookie is only sent once over HTTPS to the client.

If the cookie is sent from someone else, the first session is invalidated, forcing a new token to be generated.

See here: http://openacs.org/doc/openacs-5-1/security-requirements.html for the overview and then here: http://openacs.org/doc/openacs-5-1/security-design.html for more info .

It should be trivial to implement this in your web app.

Posted by PatrickG on September 24, 2004 at 08:40 AM PDT #

Would this still mean putting the server under https? We were trying to avoid that.

Posted by KitchenSink on September 24, 2004 at 04:33 PM PDT #

VMS isn't dead! It's marketing name is now OpenVMS. Current owner is HP (who took over Compaq who took over Digital/DEC) Runs fine! 7.3 is the current shipping version on both VAX and Alpha chipsets. The Itanium version is up to 8.something Heck, it even runs Java! The non-HP website with loads about it is at http://www.openvms.org/

Posted by TomB on September 26, 2004 at 06:28 AM PDT #

In the spirit of using our own dogfood", you could protect your web service with a Sun Identity Server agent: your WS client uses the identity server apis to get a SSO token over https (not sure if they have a WS API to get the token, I only used the java API), then passes the token to your webapp's WS over http.

Thus the WS itself is not https protected, and you can programmatically invalidate the token from the ws client when your session's finished.

We use Identity for authentication and authorization in Sun Portal Server.

Posted by Patrick Chanezon on September 28, 2004 at 01:34 AM PDT #

(But having everything under https is way expensive. Much more handshaking has to be done for each connection.) If you use loadbalancing technolgies such as BigIP from F5, SSL encryption is being done by SSL Proxy only ONCE, meaning that the actual webservers do not need to run in HTTPS mode which again will make life easier (no SSL certificates on servers) and more performent (SSL hardware accelerator on Loadbalancer and not via CPU intensive work on servers). But in the end I'm not sure about your budget, so LB can still be more expensive...

Posted by Wali on October 03, 2004 at 01:13 PM PDT #

SSL accelerator, in the vein of "throw hardware at the problem", is something we have installed in one of our datacenters, but alas, not the one where this webservice is installed. But something to push for with the IT guys. Even with the accelerator you want to avoid entire visits under https as then your accelerator hardware has to be beefier. The suggestion of using identity server is one that bears looking into although the key would be the existence of a WS API to provide the token.

Posted by KitchenSink on October 04, 2004 at 01:01 PM PDT #

Post a Comment:
Comments are closed for this entry.

This blog copyright 2009 by KitchenSink