[plt-scheme] Looking for a security consultant with PLT web server experience

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Sun Oct 4 02:19:41 EDT 2009

YC wrote at 10/03/2009 08:06 PM:
> Another thing to be thinking about for stateful servlet is that the 
> url is the key to the continuation. As long as the continuation is 
> live, people can email urls to another person, and the other person 
> will get to the exact same page.  Depending on the link in question - 
> it can be a security issue.  If you want to add additional check such 
> as verifying IP address (which doesn't work for customers behind an 
> anonymous proxy) you'll have to build your own abstractions on top of 
> send/suspend and co.

To add to this, checking IP address provides a check that might give a 
tiny bit more confidence, but it's not a solid security solution, and 
fails in a variety of situations more common than anon proxies (NAT, 
firewalls, shared machines, hijacked wire links, some wireless roaming...).

Regarding continuations, I think that the normal case is that the 
continuations correspond to a single session with a single human/robot.  
The purity of the model that lets other humans/robots also invoke 
continuations from the session is appealing in one sense, but stored 
continuations are ephemeral anyway, and unless session hijacking this 
way is a desired feature in a particular application, I suggest that 
always precluding it with the authentication mechanism is the way to go.

Unless you always pair a continuation ID with an authentication 
mechanism (or perhaps the continuation ID *is* the authentication 
token), putting the ID in the URL exposes it a lot of places that 
cookies do not, including on the link and in various HTTP proxies and 
logs that look at requests.  Even if you use SSL, I don't have 100% 
trust that the URLs themselves are hidden, as some browsers will leak 
request URLs in the clear under some circumstances.

Also, here's no reason that the non-session-specific information about 
pages can't be exposed in RESTful URLs, too, so that, say, user A could 
email to user B a URL to a page of photos without getting the 
continuation-based session context.  That's the preferred Web way of 
doing things, and you just need to consider canonical URLs for resources 
when doing information design for your site.

These are off-the-cuff, casual comments, not researched.

I'm sure that Untyped or YC could investigate these concerns and address 
if necessary.  Full disclosure: Untyped and I have collaborated a bit, 
and I hope to work with them more in the future.  (I'm not soliciting 
new consulting work myself right now, as my university term appointment 
gets first priority on my time, except for at 2am Saturday night. :)


Posted on the users mailing list.