From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: Mike Gerwitz <mtg@gnu.org>
Cc: Guile User <guile-user@gnu.org>
Subject: Re: mailmam, web bridge, forum, p2p
Date: Sat, 26 Oct 2019 11:35:06 +0200 [thread overview]
Message-ID: <20191026093506.qbox46mcjt747pxo@pelzflorian.localdomain> (raw)
In-Reply-To: <87y2x83z6h.fsf@gnu.org>
On Sat, Oct 26, 2019 at 12:31:34AM -0400, Mike Gerwitz wrote:
> On Fri, Oct 25, 2019 at 08:08:45 +0200, pelzflorian (Florian Pelz) wrote:
> > So you would use both a cookie to retain login state and then only for
> > sensitive requests additionally use nonces to prevent CSRF. Would you
> > use POST for all (sensitive) requests after login?
>
> GET requests are supposed to retrieve information, not modify it, and
> should be indempotent. Since they should have no meaningful
> side-effects, CSRF shouldn't have any meaningful action to
> exploit.
You are right. That makes sense. We need not abstain from cookies
and with cookies we can have GET requests retain session state and
then for anything sensitive use a nonce, whether GET or POST,
i.e. write code for links to include a nonce and verify nonces.
Thank you!
> Whether or not that's true in practice of course depends on
> how the site was developed. If a GET request does have some meaningful
> side-effect (e.g. maybe it logs the action and that event can influence
> some other part of the system), then it may need to be mitigated by
> including a nonce.
>
Probably for a mailing list interface, there should not be such a log annyway.
We will have to remember session cookies are fine, so we can have all
the nice things like multiple tabs, but making a sensitive request
means using a nonce
> >> Checking the referrer isn't a good security measure. For example, if
> >> the legitimate referrer were vulnerable to XSS, open redirects, or a
> >> host of other vulnerabilities, then an attacker could circumvent it by
> >> having the CSRF attack originate from that website.
> >>
> >
> > I read Amirouche’s owasp link which describes checking the referer
> > only as an additional “Defense in Depth” security measure in the hope
> > of preventing what it calls login CSRF, i.e. giving someone a login
> > from someone else without them noticing (if I understand correctly).
> > A cookie would prevent that anyway, I suppose.
>
> It's a potentially valid defense-in-depth strategy, but isn't sufficient
> on its own. I personally don't see much value in it. If a
> properly-implemented nonce-based mitigation strategy fails, then the
> attacker is likely in a situation where the referrer is no longer a
> barrier (e.g. they have access to the page and can inject scripts or
> just hijack the session). Mitigating session hijacking is extremely
> difficult in this scenario---you can't perform IP-based checks because
> users often change IPs (e.g. on mobile networks, VPN, Tor, etc). You
> can't rely on any information sent by the client because it can be
> spoofed by the attacker.
>
As I understand it, checking the referer should defend against the
attacker sending a user a link where the user is logged in as someone
else. Cookies prevent that anyway, so if we avoid XSS (which is easy
in Scheme’s SHTML) and do not let others host web workers on the same
domain and such things, no further measures are needed, I think. In
particular, IP checking would not be needed, but I will think about
that again once I actually have studied Artanis.
Regards,
Florian
next prev parent reply other threads:[~2019-10-26 9:35 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-20 6:10 Diversification [ branched from Re: conflicts in the gnu project now affect guile] Todor Kondić
2019-10-20 6:14 ` John Cowan
2019-10-21 6:35 ` Arne Babenhauserheide
2019-10-21 13:45 ` Amirouche Boubekki
2019-10-23 6:16 ` Amirouche Boubekki
2019-10-23 6:27 ` Nala Ginrut
2019-10-23 6:48 ` pelzflorian (Florian Pelz)
2019-10-23 10:37 ` Chris Vine
2019-10-23 11:25 ` pelzflorian (Florian Pelz)
2019-10-23 12:33 ` pelzflorian (Florian Pelz)
2019-10-23 13:47 ` tomas
2019-10-23 14:10 ` pelzflorian (Florian Pelz)
2019-10-23 19:09 ` Mikael Djurfeldt
2019-10-23 19:26 ` pelzflorian (Florian Pelz)
2019-10-23 19:19 ` Zelphir Kaltstahl
2019-10-24 1:01 ` Nala Ginrut
2019-10-24 9:19 ` pelzflorian (Florian Pelz)
2019-10-24 9:35 ` mailmam, web bridge, forum, p2p (was: Diversification) Amirouche Boubekki
2019-10-24 12:30 ` pelzflorian (Florian Pelz)
2019-10-24 14:15 ` Nala Ginrut
2019-10-24 16:39 ` Zelphir Kaltstahl
2019-10-24 23:42 ` Nala Ginrut
2019-10-25 1:39 ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26 7:48 ` tomas
2019-10-26 10:35 ` Nala Ginrut
2019-10-26 11:34 ` tomas
2019-10-27 4:50 ` Mike Gerwitz
2019-10-27 5:32 ` Mike Gerwitz
2019-10-27 8:50 ` tomas
2019-10-27 8:36 ` tomas
2019-10-27 14:26 ` Keith Wright
2019-10-27 19:28 ` Zelphir Kaltstahl
2019-10-25 6:08 ` mailmam, web bridge, forum, p2p (was: Diversification) pelzflorian (Florian Pelz)
2019-10-25 6:23 ` Nala Ginrut
2019-10-26 4:31 ` mailmam, web bridge, forum, p2p Mike Gerwitz
2019-10-26 9:35 ` pelzflorian (Florian Pelz) [this message]
2019-10-26 11:31 ` tomas
2019-10-24 13:32 ` mailmam, web bridge, forum, p2p (was: Diversification) tomas
2019-10-24 15:03 ` Nala Ginrut
2019-10-24 15:12 ` tomas
2019-10-24 16:35 ` Zelphir Kaltstahl
2019-10-26 8:04 ` tomas
2019-10-26 9:42 ` pelzflorian (Florian Pelz)
2019-10-26 11:31 ` tomas
2019-10-25 11:30 ` Mikael Djurfeldt
2019-10-25 12:53 ` Nala Ginrut
2020-09-05 6:15 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] Joshua Branson via General Guile related discussions
2020-09-05 11:50 ` Web development Zelphir Kaltstahl
2020-09-05 13:09 ` Ricardo Wurmus
2019-10-28 11:04 ` mailman web interface (was: Diversification) pelzflorian (Florian Pelz)
2020-07-08 12:32 ` pelzflorian (Florian Pelz)
2020-09-05 6:21 ` mailman web interface Joshua Branson via General Guile related discussions
2020-09-05 7:53 ` pelzflorian (Florian Pelz)
2020-09-05 13:32 ` Joshua Branson
2019-10-23 13:43 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] tomas
2019-10-23 17:39 ` Chris Vine
2019-10-23 19:58 ` Mailman web interface [was: Re: Diversification] pelzflorian (Florian Pelz)
2019-10-23 20:02 ` Diversification [ branched from Re: conflicts in the gnu project now affect guile] pelzflorian (Florian Pelz)
2019-10-26 8:14 ` tomas
2019-10-26 9:03 ` pelzflorian (Florian Pelz)
2019-10-26 11:26 ` tomas
2019-10-26 13:02 ` Zelphir Kaltstahl
2019-10-26 15:23 ` tomas
2019-10-26 16:47 ` pelzflorian (Florian Pelz)
2019-10-26 17:09 ` pelzflorian (Florian Pelz)
[not found] ` <874kzslwq0.fsf@elephly.net>
2019-10-28 15:41 ` pelzflorian (Florian Pelz)
2019-10-23 13:45 ` tomas
2019-10-20 8:07 ` pelzflorian (Florian Pelz)
2019-10-20 8:08 ` pelzflorian (Florian Pelz)
2019-10-22 18:47 ` Mark H Weaver
2019-10-22 19:23 ` Zelphir Kaltstahl
2019-10-22 20:51 ` Arne Babenhauserheide
2019-10-22 23:24 ` Chris Vine
2019-10-23 0:57 ` Zelphir Kaltstahl
2019-10-23 6:44 ` pelzflorian (Florian Pelz)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191026093506.qbox46mcjt747pxo@pelzflorian.localdomain \
--to=pelzflorian@pelzflorian.de \
--cc=guile-user@gnu.org \
--cc=mtg@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).