My question is about SSL. In my scenario, I have an MVC 4 application where users can log in using the Simple Membership and place orders that are processed by an external application, in my case, PayPal. The question is, how important would a secured connection be in order to perform these tasks? In my mind, since there is an external application that processes the order, there should not be any need to have SSL, however, because the log in operation is taking place on the actual application, it would be an advantage to secure that connection?
Paypal is a very secure platform for processing your payment so I wouldn't worry about it.
the only thing I see that you may or may not wanna worry about is the user/password which is transferred over the wire and without SSL they may get rubbed which is not too important for 2 reasons:
1: you are just starting a site and no one is willing to take time to crack it at this point. (you may consider SSL later on)
2: at this point, your website user and password will have no value to anyone. big websites like facebook, google, stackoverflow didnt have SSL for quite a while.
3: your users have to login to their paypal later on which is quite secure and even if not, is not your responsibility.
if you were accepting credit card info, I would have said 100% you need SSL, but Paypal is doing it for you.
Related
I am creating a new React SPA. Users of a legacy app need be able to use the new app without re-authenticating. So I need to support SSO.
It's important to note that it is also required that users of other (currently unspecified) apps should also be able to use the new app without re-authenticating, so whatever approach I take needs to be sufficiently decoupled to potentially allow this.
The legacy app supports authentication via Shibboleth, the new app currently has no authentication method, but uses JWT for authorisation.
I'm wondering if anyone has any experience of such a scenario? It seems to me that I probably need to be create an OAuth2 authorisation server for the new app to talk to and I need to somehow bring Shibboleth into the mix for the authentication, maybe with the authorisation service acting as a Shibboleth Service Provider. Googling around hasn't revealed much useful info.
Is what I've described along the right lines? I know it's very high level and woolly, but I'm really not sure of the approach to take. Any advice, information or experience in this area would be gratefully received!
GOALS
It's a little bit of a subjective question, but the main goals are usually as follows:
Focus on building your UI and API security in a future facing manner
Also provide good Login Usability
Also deliver on non functional requirements such as availability / reliability
AUTHORIZATION SERVER
On the first point, the modern option is to integrate UIs and APIs with an Authorization Server - perhaps as in My Tutorial. Your architecture is then good, but the migration is not trivial.
FEDERATING TO SHIBBOLETH
The Authorization Server can then redirect to Shibboleth and talk SAML2.0 to achieve Single Sign On, as you suggest. It is a complex solution though, and may be a backwards step in some ways.
AVAILABILITY
This is usually a big concern, and most companies use a cloud provider such as Azure / AWS due to its high availability / low maintenance / low cost. Would this be a better option for you?
So I'm creating an iOS framework that will be a static library that developers will add to their project, when they create an account on our site I'd like to give them a unique token that they put in their app to use my static library.
For iOS dev's, think TestFlight, you sign up, get an App ID and then run [TestFlight takeOff:<#some-key#>];
I'd like to authenticate the requests that the framework makes to my REST webservice (using https).
Is there anything I can do to prevent people from "breaking into the app code" and stealing the developers api token and using it to make requests? My api endpoints will not be public information, at least for now. and I can't authenticate the user because it's a framework and that would be an awful UX.
The question is, is there anything I can do to prevent this sort of behavior? Should I even care? I will charge the developer per X requests eventually so I was hoping to authenticate this so we don't have spammers racking up a bill for the developer.
How do other iOS frameworks handle this?
Any design ideas and criticism welcome.
I'm not sure what you're trying to do is ever possible. If the text is in the client code, it can be pulled out. SSL-pinning won't really help you here either because the cert is in the client binary as well.
One way you might be able to get close is to use the developer's authentication system. Say a user logs in into the developer's auth system, then server side you generate a short-lived key for that user. Then the client code can be passed (over SSL-pinning) that short-lived key and use that to make your API calls. However, this requires the developer to actually have a secure auth system, and without SSL-pinning, they're vulnerable to a simple man-in-the-middle attack which will reveal the short-lived key.
You can try to minimize the damage by throttling API calls on your end, or trying using per-app heuristics to approximate what normal API usage would look like. Anything out of the norm will get flagged as potentially hacker based. That might be enough to flush out most of the wanna-be-hackers. The true hackers will learn of the throttling and be clever about circumventing it...
Your safest bet is to make it a server-side library instead of a client-side library. However, that's certainly not a super-sexy solution either. Not all apps have a server side component... and even if they do, once the developer's server is compromised (ie. gets spammed or hacked, etc) it's game over once again. But, in the end, the nice thing about a server-side solution is that you're at least less vulnerable to an attack and you put the responsibility of securing the system on the developer.
What's really lacking here is some form of Apple-based verification for network calls originating from Apple devices.... but that probably won't ever happen. :)
UPDATE: I failed to mention earlier that we want solution that will be flexible with authenticating users from within our databases or by asking other servers to tell us if the user is authenticated. It is also worth mentioning that these other servers are not under our control so we can't enforce a specific user model.
I had a long and hard read on OAuth and OpenID but they are both not a suitable solution for our situation and will make the process harder to the user. This is something that has been solved a thousand times, yet I cannot find the solution.
What we are looking for is a framework that can be used in a REST services server to authenticate users (no third-party clients involved) with their username and password.
The solution must not pass the username and password except the first time on login and use tokens for further authentication. Even though OAuth does use tokens, it is designed to allow third-party clients access to the service-providers resources. That is not the case here, the services are for our own application only, the only thing needed is user authentication.
What do you guys think is the most appropriate solution?
Configuration:
-Spring server that provides RESTful services with our thinking going towards using Spring Security with some user management and token management framework.
-iOS Device that will be making HTTPS calls to the server.
What we ultimately want is to have the device send a login request and receive a token if the login was successful, later on make requests using that token. Just like Facebook, excluding third-party involvement.
Is there something that is ready to be configured in our server? Or should we consider building our own token management, comparison and generation software?
Is using Spring-Security with an iOS application without involving storing cookies or redirecting to pages possible?
OpenStack offers as part of it's many projects related to open source cloud... the project Keystone. Which does this pretty much exactly what you want.
You might want to check it out here:
http://docs.openstack.org/developer/keystone/
I'm coding a desktop application for our university . Users need to signup before using this software and registration request is sent to a server written by me, too. So I'm struggling with kind of network application. ( Suppose that the request format is as simple as a HTTP request sent to an arbitrary port number )
But now I'm wondering whether it's necessary to protect registration process using CAPTCHA or not? Do I need to ensure that the signup request is not generated by a computer?
As your application is for a limited user group (your university only), I think you do not need a captcha, because the risk is very low that someone is in this group how wants to annoy you.
Also scripting for a desktop application is (a bit) more complicated than for web applications, this will decrease the risk, too. IF you are struggling with bot-registrations you could still ship the captcha as an update and only accept registrations from the updated version, don't you?
I think that would irritate the human users, who, I believe, would make all your users. Please note that on the net, only a small portion of users are bots. What about a campus? How many computers are on a campus to be worry about? Besides, all those computers are supervised by people you know, and even if a program is installed on one of them (or even all of them) to joke with you, you can call the authorities of the university. So if I were you, I would put my time on betterment of other things, instead.
No you don't need CAPTCHA. CAPTCHA was made because of the limitations imposed by a web browser while still wanting the wide availability that a website provides. Your application doesn't have either of these limitations. Your desktop application can implement whatever security methods it wants and it only needs to be distributed to a specific set of clients.
That doesn't mean you shouldn't have some security policies set up to prevent anyone on the school campus (or internet) from telneting to the port and creating an account. This can most easily be done by using PKI and distributing a unique private key and open public key with the desktop application. The server can then verify that the client has the private key before accepting registrations (plus you could encrypt any communications between the client/server). Of course anyone with access to the desktop application could get the private key, but it's at least more secure than not doing anything at all to prove they can register accounts.
I'm currently building a mobile application (iOS at first), which needs a backend web service to communicate with.
Since this service will be exposing data that I only want to be accessed by my mobile clients, I would like to restrict the access to the service.
However I'm in a bit of a doubt as to how this should be implemented. Since my app doesn't require authentication, I can't just authenticate against the service with these credentials. Somehow I need to be able to identify if the request is coming from a trusted client (i.e. my app), and this of course leads to the thought that one could just use certificates. But couldn't this certificate just be extracted from the app and hence misused?
Currently my app is based on iOS, but later on android and WP will come as well.
The web service I'm expecting to develop in nodejs, though this is not a final decision - it will however be a RESTful service.
Any advice on best practice is appreciated!
Simple answer: You cannot prevent just anybody from acecssing your web site from a non-mobile client. You can, however, make it harder.
Easy:
Send a nonstandard HTTP header
Set some unique query parameter
Send an interesting (or subtly non-interesting) User Agent string
(you can probably think of a few more)
Difficult:
Implement a challenge/response protocol to identify your client
(Ab)use HTTP as a transport for your own encrypted content
(you can probably think of a few more)
Of course anybody could extract the data, decompile your code, replay your HTTP requests, and whatnot. But at some point, being able to access a free Web application wouldn't be worth the effort that'd be required to reverse-engineer your app.
There's a more basic question here, however. What would be the harm of accessing your site with some other client? You haven't said; and without that information it's basically impossible to recommend an appropriate solution.