Page 1 of 1

Safely moving session in and out of SSL

Posted: Wed Nov 07, 2012 8:32 am
by Eric!
Some hosts offer free shared SSL certs. But often to use them you have to route users through their shared SSL domain (like secure.hostname.com/~useraccount/index.html). This makes using SSL somewhat undesirable for the full session if it isn't necessary to encrypt everything.

Is there a recommended way to move in and out of SSL sessions securely?

I was thinking of:
1. Page A: (non-ssl) Create token and put in db with time stamp
2. Page A: (non-ssl) Pass hash+salt of token to ssl Page B
3. Page B: (ssl) Compare passed hash+salt with db token (hash+salt) and check time stamp for expiration (very short life span)
4. Page B: (ssl) Process sensitive user input.
5. Page B: (ssl) When done update db with new token/time stamp and pass hash+salt back to non-ssl Page C
6. Page C: (non-ssl) Compare db to passed token and time stamp and continue if valid

Other than going to all SSL pages, is there a better approach? (FYI the salt is there mostly because the first token to Page A is retrieved externally over an SSL connection, but I know nothing about how it is being generated or how safe/random it is).

This idea would be vulnerable to session hijack between A and B, or B and C. However I think the ultimate goal of keeping the data entered in Page B secure would still be achieved because in this application there is no way for users to retrieve/view the input data at any point in the process.

Thanks in advance

Re: Safely moving session in and out of SSL

Posted: Wed Nov 07, 2012 8:36 am
by Benjamin
Shared hosting is not secure by it's very nature though and would never pass PCI compliance.

Re: Safely moving session in and out of SSL

Posted: Fri Nov 09, 2012 7:52 am
by Eric!
Never? I've seen other people counter that statement on other sites indicating that they have received PCI compliance on shared hosts.

Re: Safely moving session in and out of SSL

Posted: Fri Nov 09, 2012 9:49 am
by Benjamin
There are questionnaires you can fill out to confirm you are compliant. You can answer those as you wish in order to get the desired outcome.

If the processing is handled by a third party it would be ok, but even if the card numbers on a shared hosting server only ever existed in ram and were never saved to disk it's still dangerous because an attacker could write code to save those numbers for you.

Re: Safely moving session in and out of SSL

Posted: Fri Nov 09, 2012 12:47 pm
by Eric!
There are shared hosts that are setup to specifically be PCI compliant with scans conducted by a PCI Compliant Approved Scanning Vendor (ASV) . For example https://www.pcicomplianthosting.com/cpa ... osting.php I don't think they are hiding anything in order to pass.

Re: Safely moving session in and out of SSL

Posted: Fri Nov 09, 2012 7:16 pm
by Christopher
Eric! wrote:I was thinking of:
1. Page A: (non-ssl) Create token and put in db with time stamp
2. Page A: (non-ssl) Pass hash+salt of token to ssl Page B
3. Page B: (ssl) Compare passed hash+salt with db token (hash+salt) and check time stamp for expiration (very short life span)
4. Page B: (ssl) Process sensitive user input.
5. Page B: (ssl) When done update db with new token/time stamp and pass hash+salt back to non-ssl Page C
6. Page C: (non-ssl) Compare db to passed token and time stamp and continue if valid
You may not need the hash -- just use the Session ID. But you need to regenerate session ID every request. Perhaps one of the security mavens around her like Mordred can shed some light on the security of different approaches.

Re: Safely moving session in and out of SSL

Posted: Fri Nov 09, 2012 9:41 pm
by Benjamin
Our PCI compliant shared hosting plans come with cPanel and are a great solution for businesses currently on a shared plan and for businesses who cannot justify the cost of a dedicated server. Please note this plan cannot be used to store credit card numbers online, for that you will need the 2 dedicated server solution.
It's PCI compliant only because they are not storing the numbers. But we both know that's a moot point. If an attacker has access to the server in order to grab card numbers, they could also modify code to send the card numbers to themselves every time one is processed.

Re: Safely moving session in and out of SSL

Posted: Sat Nov 10, 2012 8:12 am
by Eric!
@christopher Actually I'm checking/regenerating the session ID's too, but I'm also using the token because it is used in another location on an ssl/secure dedicated server. I guess this isn't done very often because I haven't found any recommended methods. So I'm wondering if I'm missing something (other than PCI compliance ;-).

@Benjamin good point. Shared hosting has its weaknesses. I guess for small merchants PCI compliance is more relaxed if no numbers are saved. From what I understand it is an acceptable scenario for compliance. For sites with very few transactions, the owners can't justify the 5x higher costs of dedicated servers. Certainly many cheap shared hosts are not caged, or configured poorly and they would be a much higher risk too than a medium priced host that advertises their focus is on security with caged systems, regular audits and updates.