Re: JavaScript and Cookies enabled in Browser

To: debian-security@lists.debian.org
Subject: Re: JavaScript and Cookies enabled in Browser
From: Daniel Pittman <daniel@rimspace.net>
Date: Sat, 21 Aug 2004 14:25:21 +1000
Message-id: <[🔎] 877jrtt8we.fsf@enki.rimspace.net>
References: <[🔎] 23FEDF72.069B6CAB.0096453E@netscape.net>

On 20 Aug 2004, Don Froien, III wrote:
> I was recently in a meeting where members of the IT group propose to
> use a utility called WebEx to perform remote compiles. Webex offers
> SSL encrypted transfers and the ability to offer only selected members
> to the meeting (remote compile in this case) and offers the transfers
> over https (port 443).

Sounds like a cute idea, but I don't quite see how it manages remote
compiles.

> The issue I see with this approach is that WebEx uses a browser interface that
> requires the browser to have Java Script and Cookies enabled. I have always
> been under the impression that those two items were considerable security
> issues. 

I think you are significantly overestimating the security risks there.
With an up-to-date browser, even IE, they don't pose too much of a risk.

Certainly, cookies are almost no risk. The worst case is that they allow
remote information gathering, or allow someone to "steal" the cookie and
impersonate you.

In either case there are normally easier ways to take over a machine. :)

> Does anyone know of any URL's or downloadable papers that will
> strengthen my argument against this approach? I believe a VPN solution
> to be more appropriate, but am being told that the WebEx approach is
> more secure. 

This strikes me as a dubious claim. If, as they claim, they use the
browser SSL layer then they could be *as* secure as an IPSec or SSL VPN
system at best, and could be completely insecure.

> If anyone knows a reason that this approach is secure, please advise
> also. 

If this really matters to you, do a real risk analysis of the situation:

Draw up a list of the things you need to protect or prevent.
Draw up a list of ways that people could attack those things.
Draw up a list of ways to ensure those attacks do not succeed.

Then, compare the final list to the various solutions on offer - VPN,
WebEx, etc, and see which one achieves the best practical security.

For what it is worth, though, I wouldn't trust the WebEx system to be
more secure than a VPN in combination with a Firewall, simply because it
trusts weak components (end user systems) for security, and because I
can see no external review of the quality of their implementation.

If you really want them to look bad, grab papers where people have done
a security review of various VPN systems and ask for the same for the
WebEx system...

     Daniel
-- 
Laughter is our safety valve.  It helps us get through Sarajevo and the stupid
things politicians do.
        -- Jerry Lewis

Reply to:

Follow-Ups:
- Re: JavaScript and Cookies enabled in Browser
  - From: Bernd Eckenfels <ecki-news2004-05@lina.inka.de>

References:
- JavaScript and Cookies enabled in Browser
  - From: dfroien3@netscape.net (Don Froien, III)

Prev by Date: Re: Official security support for sarge
Next by Date: Allan M. Thomsen/BDUAMT/Bankdata træffes ikke.
Previous by thread: JavaScript and Cookies enabled in Browser
Next by thread: Re: JavaScript and Cookies enabled in Browser
Index(es):
- Date
- Thread