Advice, security specification calls for using system login to do login to web application

Hi,

I am reading over a governmental security specification that applies
to a type of governmental knowledge management application that is
invariably ran over https.
According to the specification it supposes that login to the
application will be done by using the users login to their operating
system, invariably assumed to be Windows.


Now from the few bits of security theory I can remember this seems
like a really bad idea, because it means that an attack on the
application can now be achieved by :

1. attacking the application and finding a flaw in how it gets the
login information
2. Attacking windows, controlling a process and then attacking the
application with the hidden process. That hidden process should then
have the users login credentials. For example start a hidden IE and
control its navigation.
3. Attacking the ACL system on Windows.

Anyway I guess the main thing irritating me about this spec is it
seems to assume that have authentication done automatically by using
the OS authentication is inherently more secure than other methods.

Anyone have any comments on this? Am I off base on my feeling that
this is more insecure than other methods?

What do you care? It's their spec, let them deal with it.

On Tue, 28 Aug 2007 12:19:35 -0000, pantagruel wrote:

> Hi,
>
> I am reading over a governmental security specification that applies
> to a type of governmental knowledge management application that is
> invariably ran over https.
> According to the specification it supposes that login to the
> application will be done by using the users login to their operating
> system, invariably assumed to be Windows.
>
> Now from the few bits of security theory I can remember this seems
> like a really bad idea, because it means that an attack on the
> application can now be achieved by :
>
> 1. attacking the application and finding a flaw in how it gets the
> login information
> 2. Attacking windows, controlling a process and then attacking the
> application with the hidden process. That hidden process should then
> have the users login credentials. For example start a hidden IE and
> control its navigation.
> 3. Attacking the ACL system on Windows.
>
> Anyway I guess the main thing irritating me about this spec is it
> seems to assume that have authentication done automatically by using
> the OS authentication is inherently more secure than other methods.
>
> Anyone have any comments on this? Am I off base on my feeling that
> this is more insecure than other methods?


--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

pantagruel wrote:

> Hi,
>
> I am reading over a governmental security specification that applies
> to a type of governmental knowledge management application that is
> invariably ran over https.
> According to the specification it supposes that login to the
> application will be done by using the users login to their operating
> system, invariably assumed to be Windows.


No, this invariably assumes NTLM authentication which is not just limited to
Windows, but is not a part of the HTTP specification.

> Anyway I guess the main thing irritating me about this spec is it
> seems to assume that have authentication done automatically by using
> the OS authentication is inherently more secure than other methods.


It is. A mandatory authentication which pretty much shields the credentials
from being abused by the user or being entered into a spoofed dialogue.