tags:

views:

2000

answers:

9
+3  Q: 

https URL with token parameter : how secure is it?

On our site, we provide to users a simulation based on their private information (given through a form). We would like to allow them to get back on their simulation results later, but without forcing them to create a login/password account.

We have thought of sending them an email with a link, from which they could get back their results. But, naturally, we have to secure this URL, because private data is at stake.

So we're intending to pass a token (like a 40 characters combination of letters and digit, or a MD5 Hash) in the URL and to use SSL.

Finally, they would receive an email like that :

Hi,
Get back your results on https://www.mysite.com/load_simulation?token=uZVTLBCWcw33RIhvnbxTKxTxM2rKJ7YJrwyUXhXn

What do you think about it? Is it secure enough? What would you advise me for the token generation? What about passing URL parameters in a https request?

A: 

E-mail is inherently insecure. If anyone can click on that link and get to the data, you're not really protecting it.

Jason Punyon  2009-03-13 15:55:34
Exact but many many sites don't bother about that and send login/passwords by mail. But it's not a reason to imitate them...
Flackou  2009-03-13 16:06:36
I agree no reason to imitate them, but they usually tell you to change the password after you login the first time.
Jason Punyon  2009-03-13 17:32:39
A: 

SSL secures the contents of the data in transit, but I'm not sure about the URL.

Regardless, one way to mitigate an attacker reusing that URL token is to make sure each token can only be used once. You could even set a cookie so that the legitimate user can continue to use the link, but after the first access it will only work for someone with the cookie.

If the user's email is compromised and an attacker gets the link first, well, you're hosed. But the user also has bigger problems.

Eli  2009-03-13 15:55:39
The SSL connection is secured before the URL is transmitted.
David  2009-03-13 16:34:13
A: 

You are aware that if any hacker get access to your database a lot of personnal information can be freely given ?

After that I would say that this is not bad as idea. I would not use MD5 or SHA1 as they are not very secure for hashing. They can be "decrypted" (I know it's not encryption) quite easily.

Otherwise I would maybe use a second information that would not be sent by email kind of a password. The reason is quite simple, if someone get access to the user's email (quite easy with hotmail if you don't kill your session) he will have access to any informations the user have sent.

Note that the HTTPS will secure and crypt data sent from your site to the end user. Nothing else, take it as a secure tunel. Nothing more nothign less.

Erick  2009-03-13 15:56:30
How exactly is a salted SHA1 hash decrypted in any sense of the word?
Eli  2009-03-13 16:05:04
"You are aware that if any hacker get access to your database a lot of personnal information can be freely given ?" Yes, but isn't it a problem for all websites ??
Flackou  2009-03-13 16:08:45
@Flackou yep but if you gain access to paypal's db you won't find clearly saved credit card informations everything is encrypted.@Eli : http://www.theregister.co.uk/2005/02/17/sha1_hashing_broken/
Erick  2009-03-13 16:12:48
A: 

Well the token is secure when being passed through SSL. The problem you are going to have is that it is avilable to people (those who it is not intended for) by being able to view the URL.

If it's private information like SSN I don't think I would send a URL through email. I would rather have them create a username and password for the site. It's too easy to compromise an email with that kind of information at stake for you and for them. If someone's account is comprimised it will come into quesion whose fault it really is. The more secure the better you are from a strictly CYA standpoint.

Kevin  2009-03-13 15:56:47
You're right : the URL would remain in the browser history for instance
Flackou  2009-03-13 16:12:03
A: 

From what I understand of your idea, in theory someone could type in a random 40 character string or MD5 hash and get someone elses details. Whilst this may be highly unlikely it only needs to happen once.

A better soloution might be to send the user a token then ask them to enter some of the details, such as their name, post code, ssn or a combination of these.

Richard Slater  2009-03-13 15:56:48
SSN? Are you serious? Anyway, I suggest you do the math on how many 40 character random strings there are. It's more than just "highly unlikely"
Eli  2009-03-13 16:03:57
You're right, we should probably add another parameter in the url, like the email (even if a..z + A..Z + 0..9 = 62 characters, and 62^40 is a quite big number).
Flackou  2009-03-13 16:05:16
Guys, 62^40 is considerably more than the number of atoms in the universe. It is literally unguessable.
Eli  2009-03-13 16:08:12
I appreciate 62^40 is huge; there is still a chance however tiny, someone could brute force the URL until they hit upon someones personal details. Rather than send it in the e-mail, ask them a simple question e.g. DOB, then even if someone guesses the string they would have to guess the DOB too.
Richard Slater  2009-03-13 19:35:49
I'm sorry, but your math just doesn't add up. 62^40 is 496212362459367066914366580195701544604991251555593230875525121862270976 possibilities. Adding a check for DOB adds perhaps 30,000 to that. You're nuts if you think that makes a difference in any meaningful way.
Eli  2009-03-14 17:15:16
I'm surprised how many people can't grasp the scale of these numbers. If you were guessing a MILLION tokens a second, it's far more likely that the sun would burn out before you get a hit
Eli  2009-03-14 17:19:03
You don't have to go through every single possibility to get a hit what happens if someones URL just happens to be in the first million posibilities?
Richard Slater  2009-03-16 08:31:32
Richard, it sounds like you're pointing out what is usually called the Birthday Paradox... it's not just the number of possible combinations that matters, but how many of them are used. Well, in this case, you need to use about 2^119 of the 62^40 combinations before the chance becomes significant.
erickson  2009-03-16 17:22:31
A: 

I really wouldn't that consider that secure enough for a situation where there are serious privacy issues. The fact that you're sending the URL in a (presumably cleartext) email is by far the weakest link. After that is the risk of brute force attacks on the tokens, which (lacking the structure of a real authentication mechanism) are likely to be more vulnerable than a well-constructed username and password setup.

There are no issues at all with the parameters in a https request, incidentally.

chaos  2009-03-13 15:58:16
You're right about the risk of brute force attacks. I don't see how we could prevent bots from this type of attack. Ban "insisting" IPs wouldn't be a sufficient protection. Would you have ideas on the subject?
Flackou  2009-03-13 16:52:34
Actually, with the kind of key space we're talking about, putting a if(this_ip_number_has_requested_an_invalid_token_today()) sleep(5); in your load_simulation script would be perfectly sufficient protection. (Rate limiting is one of those features of good authentication mechanisms.)
chaos  2009-03-13 16:59:20
Thanks for your answer. But I thought that a same bot could easily take different IPs which made IP rate limit not sufficient. Am I wrong?
Flackou  2009-03-13 17:05:14
All that gets them is one undelayed attempt per IP. IP address space is not so easily available that that's helpful.
chaos  2009-03-13 18:17:00
+9  A: 

SSL will protect the query parameters in transit; however, email itself is not secure, and the email could bounce along any number of servers before getting to its destination.

Also depending on your web server the full URL might get logged in its log files. Depending on how sensitive the data is you might not want your IT people having access to all the tokens.

Additionally the URL with the query string would be saved in your user's history, allowing other users of the same machine to access the URL.

Finally and what makes this very insecure is, the URL is sent in the Referer header of all requests for any resource, even third party resources. So if your using Google Analytics for example, you will send Google the URL token in and all to them.

In my opinion this is a bad idea.

JoshBerke  2009-03-13 16:15:45
I hadn't thought about the HTTP-referer problem, but the url link would redirect to the result page, it wouldn't be a proper page (no google analytics or other third party script).
Flackou  2009-03-13 16:41:45
+2  A: 

I'd use a cookie for that. The workflow should be like this:

  1. User comes to your site for the first time.
  2. Site sets a cookie
  3. User enters data. Data is stored in the DB using some key that is stored in the cookie.
  4. When user leaves, you send them an email with a https: link
  5. When user comes back, site discovers the cookie and can present the user with the old data.

Now, the user wants to use a different browser on a different machine. In this case, offer a "transfer" button. When the user clicks on this button, she will get a "token". She can use this token on another computer to reset the cookie. This way, the user decide how secure she wants to transfer the token.

Aaron Digulla  2009-03-13 16:18:47
A: 

As it is, it would be a bad idea. You will scarify security with easy usage. As said before SSL will only protect the transfer of information between the server and client browser and will only prevent the middle man attack. Emails are very risky and insecure.

The best would be a User name and password authentication to access the information.

I like the cookie idea more or less. You should encrypt the cookie information as well. You should also generate the token with salt and key phrase plus the $_SERVER['HTTP_USER_AGENT'] to limit the probability of an attack. Store as much nonsensitive information about the client in the cookie for verification usage.

The key phrase could be stored in the cookie for easy usage but keep in mind that also cookie can be stolen =(.

Better let the client type the key phrase that he provided, which is also stored in the database along with his data.

Or, the key can be used in case the person uses a different machine which differs in the $_SERVER['HTTP_USER_AGENT'] parameters or simply misses the cookie. So the cookie can be transfered or set.

Also make sure that sensitive data is encrypted in the database. You never know ;)

 2009-04-08 16:42:27

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security