Overview of current system:
Chrooted, virtual machine.
SSL protected login credentials
Salted, Hashed password storage/comparison
Strong password requirements (8 characters, 1 each of upper, lower, special, and number, compared against dictionairy/l337 speak dictionairy)
Time delays for brute force slowdown
Currently no password request reminder/reset mechanism exposed to users directly. (I need to address this, however).
Missing components:
Real logging/notification for attack attempt profiling/real time response
SessionId protection (just the standard php system)
No CSRF protection
Other suspsected weak areas?
Currently I'm only using SSL for the login page, not for the whole site -- therefore I'm not using the cookies_only, cookies_ssl_only options for the session. That could be an option, but the preformance trade off would need to be examined more.
I think that the coding up the token/nonce system for my forms to beat the CSRF is probably the next vector to attempt to offer some protection against.
The site is not an e-commerce site; its not a likely target, but I don't want to be stupid about leaving obvisious issues open.
Help identify the weakest link in this security system...
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
What type of man-in-the-middle hijack are you referring to?
Phishing -- where a third party website is pretendiing to be my site, same appearance, to capture credentials before submitting to my site to confirm they've stolen a working pair? Well that would wither not show up as SSL to the user or have an incorrect cert.
Or just the "normal" session hijacking, but that's not a m-i-t-m attack...
Phishing -- where a third party website is pretendiing to be my site, same appearance, to capture credentials before submitting to my site to confirm they've stolen a working pair? Well that would wither not show up as SSL to the user or have an incorrect cert.
Or just the "normal" session hijacking, but that's not a m-i-t-m attack...