[Esapi-user] [Esapi-dev] Why ESAPI crypto uses a custom serialization scheme

Kevin W. Wall kevin.w.wall at gmail.com
Sat May 1 12:00:00 EDT 2010


Jim Manico wrote:
> This is not even a security issue in my mind. It's just getting chit to
> work.
> 
> Requirements:
> 
> 1) web 3.0 style client ( pure js )
> 2) no plug in dependencies
> 3) webservice(s) require signed request body
> 
> I do not trust client side controls for obvious reasons. But the
> scenario above is becomming very common for enterprises and other
> organizations who use the latest web technologies.

BTW, forgot to mention, that while I see a lot of pure JS / XML being
passed around (a good example is SAML's Browser POST Profile) through
the client's browser, realize that that is a bit of a different animal
wrt crypto. There the SAML assertions (which use XML Digital Signature
and XML Encrypt) are created on the server and validated on the server
and the BPP redirect just uses the JavaScript to POST to get the SAML
assertion from one DNS domain to another. If that JavaScript is
intercepted and the SAML assertion gets redirected, it's generally
not a major security issue. (The exception would be if one were sending
sensitive PII in the SAML assertion as attributes and the IdP side
decided that it did not need to do a separate encryption of the
SAML assertion; i.e., a configuration error on the IdP.)

What I have *NOT* see (except once with a signed applet) was where
the client itself performs some encryption / decryption and it is
interacting with the server over an non-secured comm channel.  If you
are starting to see that sort of thing, are you are liberty to give
us a hint as to what sort of application it is for? I need to know
whether it is something that I should be watching out for.

Thanks,
-kevin


-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list