securing http
Reffering to my last article, I said we could use cookies to keep spies from identity theft when using http.
I figured out that cookies are not suffisent since we cannot issue a cookie that would be readable by the plugins and scripts in the http pages but that would not be transmitted over the internet with every http request.
So I gave a little thoughts into this, and came up with a solution involving an html-5 functionality to implement my http-security : sessionStorage.
I will soon release a demo hoping to recieve some feedback on new security issues I couldn't think of.
The general idea is to inject a javascript with every html page sent using http. This script would then get a stack of http-request-tokens using https and SSL, and store this stack in the local sessionstorage.
Those http-request-tokens are now available to javascript and have never been transmitted in clear-text, nor will they automatically be transmitted with every http request.
This allows us to have our Javascript adding a http-request-token as POST parameter to each and every hettp-request the client will make, achieving protection against identity-theft.
The key feature of this design is that the token that definitely authorize the http request is valid for a single http request ! It makes it impossible for an attacker to guess the next token, and he could not have spied the tokens when the server negociated the stack of tokens since it happened in https. So the attacker is unable to forge a http request that will be accepted by the server.
But careful, any attacker can still see all tokens when they are used by the legitimate client. So be careful to use a token-generation algorithm that keeps any attacker from guessing tokens (use random tokens, and be careful since unsuffisent entropy might allow guessing of the upcoming generated tokens).
Another enjoyable aspect of this approach is that it can be made almost transparent to the web application if embedded in the webserver (the token-checking part at least, the application still must allow the javascript to add the http-token on each GET/POST request).
Stay tuned for the demo.