Page 1 of 1

Help identify the weakest link in this security system...

Posted: Tue Aug 23, 2005 9:38 am
by nielsene
Overview of current system:

Chrooted, virtual machine.
SSL protected login credentials
Salted, Hashed password storage/comparison
Strong password requirements (8 characters, 1 each of upper, lower, special, and number, compared against dictionairy/l337 speak dictionairy)
Time delays for brute force slowdown

Currently no password request reminder/reset mechanism exposed to users directly. (I need to address this, however).

Missing components:
Real logging/notification for attack attempt profiling/real time response
SessionId protection (just the standard php system)
No CSRF protection
Other suspsected weak areas?

Currently I'm only using SSL for the login page, not for the whole site -- therefore I'm not using the cookies_only, cookies_ssl_only options for the session. That could be an option, but the preformance trade off would need to be examined more.

I think that the coding up the token/nonce system for my forms to beat the CSRF is probably the next vector to attempt to offer some protection against.

The site is not an e-commerce site; its not a likely target, but I don't want to be stupid about leaving obvisious issues open.

Posted: Sun Aug 28, 2005 12:48 pm
by Ambush Commander
The weakest link is the user.

Okay, that probably wasn't what you were asking for (and this is a pretty useless reply), but still...

Edit

Since cookies are not being passed via SSL, I think that SessionId protection is your biggest problem now. Basically, I agree.

Posted: Sun Aug 28, 2005 12:58 pm
by Joe
You may be using SSL to protect your login credentials, however have you thought about man-in-the-middle attacks, (hijacks)?.

Posted: Sun Aug 28, 2005 1:19 pm
by nielsene
What type of man-in-the-middle hijack are you referring to?

Phishing -- where a third party website is pretendiing to be my site, same appearance, to capture credentials before submitting to my site to confirm they've stolen a working pair? Well that would wither not show up as SSL to the user or have an incorrect cert.

Or just the "normal" session hijacking, but that's not a m-i-t-m attack...