5

I have a web app without TLS (I know it's not good, I try to take it as a challenge). The login has two steps: first, the admin sshs into the server and runs a maintenance companion program that provides a one-time (securely) randomized link. The one-time link leads to a login form. The one-time link is good for just 1 GET of login form and 1 form submit.

Does this actually give me more security? Could I do better?

Luc
  • 32,911
  • 8
  • 78
  • 138
Dominykas Mostauskis
  • 499
  • 5
  • 7
  • 3
    So you require a SSH login into your server every time you need access to your webapp....? –  Sep 05 '13 at 15:02
  • So, you have a strange 2-factor authentication where the second factor is on the web server itself? – schroeder Sep 05 '13 at 15:04
  • The admin logs in with his username and password passed over clear-text but the login form changes location randomly? – schroeder Sep 05 '13 at 15:06
  • @schroeder It's not two-factor if it all boils down to "something you know". – Iszi Sep 05 '13 at 15:16
  • 6
    Why is this being voted down? While I think that the proposal doe not provide any real security, I don't think it appropriate to vote down someone asking for an opinion on it. Nor do I think that it intrinsically lacks research effort. While it's not practical to enumerate all the things that make for poor security, that the lack of security has been explained in the answers (IMHO) makes this a valuable question. – symcbean Sep 05 '13 at 16:08

3 Answers3

7

Without SSL, your connection can be preyed upon by eavesdroppers: they can see the data, they can also alter the data, and generally hijack your connection once you have authenticated. They can do that regardless of the authentication method.

If you assume that there is no malicious individual who can see and/or modify traffic in-transit, then... there is no security problem, and basic authentication (as in "show the password") would work equally well.

So I can sum it up as: your one-time link obtained over SSH does not provide any significant improvement on security. Without SSL, the App was weak and is still weak. So I'd say, don't bother with it, in particular because forcing a SSH connection whenever a user wants to use the App is a big usability issue.

Instead, use SSL.

Tom Leek
  • 172,594
  • 29
  • 349
  • 481
  • I think that is an inappropriate answer: SSL and SSH suffer from the same vulnerability: is this the same person you spoke with the LAST time you spoke to them. SSH requires a new key everytime and our trust in the system relies on knowing when the key will have changed. SSL, has at least some 3rd parties handling the private keys. In the end, however, if you are able to get information from the server securely, then the server could run everything through a one-time pad. Neither is a great solution, SSL is better, but we need to start thinking of ways to make Cert Auths obsolete. – Indolering Sep 05 '13 at 18:12
  • @indolering I'm not sure you read the question or the answer fully. Your comment does not seem to apply to the model used by an ssh connection as described by the OP – schroeder Sep 05 '13 at 19:07
  • The "can I do better" suggests that he is open to alternate forms of authentication. I think knowing more about his constraints would help, "take it as a challenge" sounds an awful lot like a tech admin resigned to carrying out managements stupid IT decisions. – Indolering Sep 05 '13 at 19:34
5

Could I do better?

Yes, use SSL. This is a solved problem. We know how to do HTTP security, and you're trying to invent your own scheme. It's a bad idea. Don't do it.

Community
  • 1
tylerl
  • 83,435
  • 26
  • 152
  • 232
4

If you have SSH access, why not use an SSH tunnel?

ssh -L 8080:localhost:80 user@host
firefox http://localhost:8080

If you verified the SSH fingerprint, this is more secure than HTTPS: in HTTPS, you still have to trust all certificate authorities; with ssh, assuming you verified the fingerprint correctly, you know that it is the right server without a trusted third party.

Luc
  • 32,911
  • 8
  • 78
  • 138
  • 1
    But it would be nice too, if the webserver only listens on localhost for the login path. So that no one outside of localhost could login or, if more is wanted, could not see the website – Serverfrog Jan 08 '19 at 16:07