[Seaside-dev] Seaside Security
Philippe Marschall
philippe.marschall at gmail.com
Sun Feb 9 13:37:19 UTC 2014
Hi
Having had a few too many security reviews and secure coding events in
the past we days I started working on a Seaside-Security package. The
idea behind the package is that it contains things that you can add it
to your application to make it more secure. It doesn't contain things
that we can add by default because they have to be configured
specifically for your application. Right now the plan is for it to
contain two things:
* filters that add additional headers (Content-Security-Policy,
X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security)
* key generators for cryptographically secure session ids for Pharo/Squeak
The filters would mean that the current
WAStrictTransportSecurityFilter is moved from Seaside-Core to
Seaside-Security and #iMeanIt is moved from Seaside-InternetExplorer
to Seaside-Core. A limitation of the current
WAStrictTransportSecurityFilter is that when reverse proxying it's
hard to find out whether the original request was made with HTTPS or
HTTP. AJP is the only adapter that I know of that finds this out
reliably. Swazoo could find it out when not proxying but I don't know
whether anybody uses this. CGI could in theory find it you but I don't
know whether this is done currently.
I don't know what the other platforms do but neither Pharo nor Squeak
seem to ship a cryptographically secure PRNG. Therefore it's hard for
Seaside to provide cryptographically secure session ids on these
platforms so we don't do it (we could implement SHA1PRNG since we have
SHA-1 on GRPlatform). We could in theory use OpenSSL RAND_bytes but
the SqueakSSL plugin doesn't seem to provide access to it. This leaves
us more or less with the Cryptography package [1]. It implements two
cryptographically secure PRNGS: SHA1PRNG and Fortuna. I'm not super
exited about this package. It's huge, contains failing tests and as
far as I can tell you're somehow supposed to come up with a good seed
on your own (we can just read from /dev/random on Unix but what do we
do on Windows). If anybody knows of any better options please speak
up.
[1] http://smalltalkhub.com/#!/~Cryptography/Cryptography
Cheers
Philippe
More information about the seaside-dev
mailing list