Re: Advice, security specification calls for using system login to do login to web application

What do you care? It's their spec, let them deal with it.

On Tue, 28 Aug 2007 12:19:35 -0000, pantagruel wrote:

Hi,

I am reading over a governmental security specification that applies
to a type of governmental knowledge management application that is
invariably ran over https.
According to the specification it supposes that login to the
application will be done by using the users login to their operating
system, invariably assumed to be Windows.

Now from the few bits of security theory I can remember this seems
like a really bad idea, because it means that an attack on the
application can now be achieved by :

1. attacking the application and finding a flaw in how it gets the
login information
2. Attacking windows, controlling a process and then attacking the
application with the hidden process. That hidden process should then
have the users login credentials. For example start a hidden IE and
control its navigation.
3. Attacking the ACL system on Windows.

Anyway I guess the main thing irritating me about this spec is it
seems to assume that have authentication done automatically by using
the OS authentication is inherently more secure than other methods.

Anyone have any comments on this? Am I off base on my feeling that
this is more insecure than other methods?


--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/
.