[development] Security and Drupal

António P. P. Almeida appa at perusio.net
Sun Jan 9 17:44:30 UTC 2011

On 9 Jan 2011 17h25 WET, Greg at growingventuresolutions.com wrote:

> On Sun, Jan 9, 2011 at 8:12 AM, António P. P. Almeida
> <appa at perusio.net> wrote:
>> 3. There's a very nice module http://drupal.org/project/safer_login
>>   that sends a salted double pass MD5 hash of your password. It
>> uses   a jQuery MD5 plugin. The issue is that it has problems with
>> the   usual password saving mechanism in browsers, since what
>> appears in   the password form field is the hash and not the
>> password. If you   can live with *always* entering your password,
>> hence not relying in   the convenient password remembering
>> mechanism available in   browsers, this is a very cheap and easy
>> way of securing the login   process.
> This secures the password, but not the session. The session token is
> still sent in the clear and can be sniffed and hijacked (see
> Firesheep).

Yes I know that.

> The safer_login module is mostly "security theater" designed to make
> people feel good but not actually increase security.

Well it's a tiny bit better that sending the password in plain
text. In fact there's no mechanism whatsoever to secure the
session. For that you need full TLS and marking the cookies as secure.

> I think OpenID where users can have a provider that uses https is a
> better solution if the only goal is to protect the user password but
> not necessarily the session. OpenID has the benefit of reducing the
> number of passwords that a user has to remember and can make it more
> cost effective to do multi-factor authentication (e.g. using a
> SecurID token).

Yes it's more convenient. Also there's no interference with the usual
browser password remembering mechanism. Thank you for elaborating on
that. Of course you're then relying in an external service for
handling the authentication. If you really want to be safe, IMHO, the
only option is using TLS and disable all insecure cipher suites and
key exchange algorithms.

If you're on chrome/chromium or using Firefox with Noscript you can
set the STS header and force the access to always be HTTPS. But I
I also think that the price you pay in terms of computing power is
very small if the server is correctly configured with an SSL session

--- appa

More information about the development mailing list