On Fri, Dec 18, 2009 at 6:58 PM, macdd <cool_russe...@yahoo.com> wrote: > plain text then it isn't very secure. Okay so https comes in. What I > don't understand is when to use it and when not to. It seems like if > you authenticate over https just for user credentials and then go back > to http (like yahoo) than someone could just ease drop your cookie and > be you, making logging in and out in any form pointless?
To be perfectly honest, I stopped caring about man-in-the-middle and eavesdropping attacks a very long time ago. I suppose that if I were employed by a defense or intelligence agency, or if I were handling extremely sensitive corporate or financial data, I might give some thought to them, because the security requirements in those fields are so strict and the stakes are so high (US defense/intelligence agencies, for example, go so far as to mandate specific -- classified -- RF-emission requirements for their hardware, in order to prevent electromagnetic eavesdropping). Even in that situation, though, MITM would not be atop my list of priorities. And the plain and simple truth is that I don't work in such fields. I write software to let news companies publish things, and MITM really isn't even on my radar. If this seems strange, consider that an attacker -- should he or she be both motivated and determined enough to try to obtain the credentials of one of my users -- simply has access to far too many easier and simpler attack vectors which can accomplish that. First on the list, and hardest to defend, is phishing: it doesn't matter how much security I build in to the connection between my server and my user's browser, if the user can be fooled into typing credentials into a form on some other site. And fooling users into doing that is unbelievably easy. Then there are the cross-site scripting and cross-site request forgery attacks, both of which can be pulled off easily and in ways which are hard to detect. XSS is the ring-0 attack of the web, and a far more likely vector than packet sniffing or cookie replaying. And CSRF is the terrorist hijack of the Internet, but you don't realize you've been hijacked until it's far too late. At least they can be mitigated and prevented, and Django provides tools which allow you to do just that. But there's a whole list of easy but effective tactics which goes on and on; most involve social engineering or low-tech methods. Some are as simple as glancing over someone's shoulder in a coffeeshop. And all of them are far, far, far more likely to be used against you than a frail and complex credential-sniffing man-in-the-middle attack. Like I said, MITM just isn't even on my radar, and probably shouldn't be on yours either. But if you feel you must focus on unlikely and difficult threat models rather than likely and simple ones, there's an easy answer: HTTPS for everything. Nothing else comes close, and probably nothing else will for the foreseeable future. Of course, this presumes that your users know how to spot the difference between plain unencrypted HTTP and encrypted HTTPS, or are paying attention to the indicators their browsers give about certificate validity, or are even bothering to look at the address bar at all. Sadly, the answer to all of those questions is "no": your users don't know and don't care, and if someone decides it's worth going after them, they'll get compromised by far simpler, far lower-tech phishing attacks just like everybody else... -- "Bureaucrat Conrad, you are technically correct -- the best kind of correct." -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
