[cap-talk] A palatable solution?
smagi at naasking.homeip.net
Thu Dec 1 19:10:46 EST 2005
Tyler Close wrote:
> It seems my explanation above was not understood, so I'm going to take
> another crack at it because it's important to understand.
> Assume a cap URL, K1. A GET on K1 returns a list of cap URLs C1, C2,
> ... A membrane service is bootstrapped by sending it K1 and getting
> back a proxy cap URL PK1. A GET operation on PK1 returns an
> unguessable session cookie S1 and a list of guessable proxy URLs PC1,
> PC2, ... When the user click on PC1, the browser also sends S1. The
> membrane service uses S1 and PC1 to determine the corresponding C1, to
> which it relays the GET operation.
> In Sandro's original proposal, marked by the #3 in the quoted section,
> the PCn URLs were unguessable. In Sandro's revised proposal, explained
> in the quoted section, the PCn URLs became guessable numbered slots.
> Now that the PCn URLs are guessable, an attacker can send the user's
> web browser an HTML form, whose action URL is a PCn URL. When the user
> clicks the submit button, the web browser will send the POST to the
> PCn URL and include the session identifier S1. The membrane service
> will see the request as a normal request from the user and relay the
> request to the corresponding Cn URL. This is a Confused Deputy attack.
> The revised password capability protocol is broken, no better than
> today's typical session based security in WWW applications.
Excellent! I agree this is a Confused Deputy attack. Fortunately, this
is not how I intended to address the numbered slots (I was still working
on the details at the time, so I apologize for any confusion). I suspect
you thought I was suggesting:
A request on this combined with the S1 cookie, does produce the above
In my mind, the C[n] must reference the membrane, since it is relative
to it. I'm still a little fuzzy on some web-calculus implementation
details, but I was envisioning something more like:
Something along those lines. Does that address your concern?
More information about the cap-talk