gnumed-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnumed-devel] GNUmed web interface - authentication


From: Richard Taylor
Subject: [Gnumed-devel] GNUmed web interface - authentication
Date: Thu, 07 Oct 2010 10:44:49 +0100
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4

Hi

Quick introduction: I just stumbled over GNU Med (followed a link from
Linux Weekly News). I am a Python programmer and I have some experience
of working on security issues in medical systems. I know very little
about GNUmed, so please forgive me if I am say something that you are
all fed up with discussing already :-)

I was looking through the mailling list archive and got reading about
the design of the web interface. I was interested to read about your
decision to go with Pyjamas (cool system) and the problems you were
having with per-user authentication to the Postgres database.

I have a couple of observations about your chosen solution (please feel
free to ignore me):

It looks to me that there is a security problem with using session
cookies as the method of linking the user identity to the database
connection between requests. The concern is that it would be quite easy
to steel the cookie (either by monitoring the network or by pulling it
from the browser cookie store) and then hijacking the session. This
could be partly mitigated if the proxy checked that the cookie was
coming from the same IP address that it was originally supplied to, but
this is still a problem if there is a NAT in the way. There is also a
problem that the proxy gets to see everyone's username and password, in
the clear. So if the proxy were subverted it would provide access to
everyone's credentials.

I wonder if you considered using TLS client certificates to provide the
persistent identity? Browsers now support client certificates quiet
well. The web server can be configured to require the a client
certificate and the application can access the 'Subject' of the client
cert for each request. So the server can map from the 'Subject' to a
cached database connection. This approach would also mean that a user
could move between client machines and still get connected to their open
database connection because the 'Subject' would still be the same.

Clearly the TLS approach has an overhead in the issuing and management
of certificates and this might be unacceptable in your user context.

I believe that TLS certificates are the direction that is being pursued
in the UK for single-sign-on across all medical systems. Although I have
no idea whether this strategy will survive the impending reorganizations.

I wish the GNUmed team all the best with your endeavors.

Regards

Richard




reply via email to

[Prev in Thread] Current Thread [Next in Thread]