[Seaside-dev] Re: Seaside Security

Philippe Marschall philippe.marschall at gmail.com
Mon Feb 10 18:02:47 UTC 2014 

On Sun, Feb 9, 2014 at 2:37 PM, Philippe Marschall
<philippe.marschall at gmail.com> wrote:
> Hi
>
> Having had a few too many security reviews and secure coding events in
> the past we days I started working on a Seaside-Security package. The
> idea behind the package is that it contains things that you can add it
> to your application to make it more secure. It doesn't contain things
> that we can add by default because they have to be configured
> specifically for your application. Right now the plan is for it to
> contain two things:
>  * filters that add additional headers (Content-Security-Policy,
> X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security)
>  * key generators for cryptographically secure session ids for Pharo/Squeak
> The filters would mean that the current
> WAStrictTransportSecurityFilter is moved from Seaside-Core to
> Seaside-Security and #iMeanIt is moved from Seaside-InternetExplorer
> to Seaside-Core. A limitation of the current
> WAStrictTransportSecurityFilter is that when reverse proxying it's
> hard to find out whether the original request was made with HTTPS or
> HTTP. AJP is the only adapter that I know of that finds this out
> reliably. Swazoo could find it out when not proxying but I don't know
> whether anybody uses this. CGI could in theory find it you but I don't
> know whether this is done currently.
> I don't know what the other platforms do but neither Pharo nor Squeak
> seem to ship a cryptographically secure PRNG. Therefore it's hard for
> Seaside to provide cryptographically secure session ids on these
> platforms so we don't do it (we could implement SHA1PRNG since we have
> SHA-1 on GRPlatform). We could in theory use OpenSSL RAND_bytes but
> the SqueakSSL plugin doesn't seem to provide access to it. This leaves
> us more or less with the Cryptography package [1]. It implements two
> cryptographically secure PRNGS: SHA1PRNG and Fortuna. I'm not super
> exited about this package. It's huge, contains failing tests and as
> far as I can tell you're somehow supposed to come up with a good seed
> on your own (we can just read from /dev/random on Unix but what do we
> do on Windows). If anybody knows of any better options please speak
> up.

Crypto-Nacl [1] seems to offer access to random bytes as well but I
can't find an RNG.

 [1] http://smalltalkhub.com/#!/~tonyg/Crypto-Nacl

Cheers
Philippe

More information about the seaside-dev mailing list