Saturday, April 26, 2008

Crummy cookie authentication schemes

Ever wonder what happens after you log in with a password on a Web site like Blogger, Facebook, banks, shopping Web sites, and such? Often the Web server sets a cookie that essentially says, "Hi. This user already authenticated with a password, so don't bother to ask for the password when the user clicks on the next restricted Web page." This feature is incredibly convenient. Can you imagine typing your password each time you click on a different Web page? That would be unbelievably cumbersome.

Unfortunately, it's amazingly difficult to design a secure Web authentication scheme. Even the experts can mess up. Sometimes the flaws in a cookie authentication scheme can let an intruder bypass the password check entirely. In 2001, I published a USENIX Security paper that attempted to classify the flaws in various Web authentication schemes, discover the root causes of the flaws, and find ways to avoid the flaws. Yesterday, Steven J. Murdoch proposed a solution to fix a vulnerability he discovered in the Wordpress cookie authentication scheme. Further information appears in Murdock's paper and slides. The vulnerability permits an attacker to gain administrative access, and resulted from a type of "cryptographic splicing" flaw that was discussed in the USENIX Security paper and the more comprehensive technical report. Nearly seven years after these publications and the CACM Risks column, the same types of problems keep popping up.

Is there a perfect solution for secure Web authentication based on cookies? No, but we can learn from our mistakes. Designers of security-sensitive Web applications should read up on their history before repeating the mistakes of yore. Not everyone is a Steven J. Murdoch; Web application developers should rely on designs and code from folks like Murdoch rather than risking the design or implementation of a flawed scheme. But even then, be wary of putting too much faith in a cookie authentication scheme.