Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Process security for website

Reply
Thread Tools

Process security for website

 
 
Simon Harvey
Guest
Posts: n/a
 
      07-07-2004
Hi all,

A new project I'm working on requires a high level of security - possibly
around the same level used by banks as its deling with highly confidential
medical info.

I'm thinking about the process of letting users register and get their
password.

The current suggestion is that when a user registers an interest, a staff
member has to authorise that persons entry into the site.
If the staff member believes this person to be legit, then they user is sent
an email asking them to come to the site.

When the user follows the link, they are told that they are about to be sent
their password (by email) and that it will be valid for 5 mins. The user
picks up their email, logs in and completes registration.

Now, that seems to me to be a rather drawn out solution.

Has anyone else implemented a solution that is ultra secure but also
relatively simple

Thanks all

Simon


 
Reply With Quote
 
 
 
 
Nicole Calinoiu
Guest
Posts: n/a
 
      07-08-2004
Simon,

There are some rather big problems with the proposed solution, including the
following:

1. If you set the "timeout" on the invitation to be sufficient short that
it is unlikely that someone will pick the credentials off an SMTP server
before the user receives the e-mail, you will also have a reasonably high
likelihood of the target recipient not receiving it in time. This means
that you should also plan for more "manual" processing, such as allowing the
new user to phone in for their temporary password. This also incurs risk
since it can be difficult to validate the identity of a caller.

2. If a potential attacker learns of the approval process (e.g.: by
attempting a new registration), an interception trap could be set for any
messages matching the pattern, allowing the attacker to receive the
temporary credentials before or instead of the intended recipient. This
attacker might be, for example, an employee of the ISP via which the e-mails
are being sent, so setting such a trap may be quite trivial.

While encrypting the e-mail would be a potential workaround for the above
problems, a better approach would be to allow the new user to enter their
desired credentials with the initial request. Then, instead of transmitting
credentials in the subsequent e-mail, simply send a message indicating
whether the registration request was approved or denied. Obviously, there
are still plenty of issues surrounding validation of the requester's
identity, but I'm guessing that the staff approval might be intended to
address at least part of that problem.

HTH,
Nicole



"Simon Harvey" <sh856531@microsofts_free_email_service.com> wrote in message
news:(E-Mail Removed)...
> Hi all,
>
> A new project I'm working on requires a high level of security - possibly
> around the same level used by banks as its deling with highly confidential
> medical info.
>
> I'm thinking about the process of letting users register and get their
> password.
>
> The current suggestion is that when a user registers an interest, a staff
> member has to authorise that persons entry into the site.
> If the staff member believes this person to be legit, then they user is
> sent
> an email asking them to come to the site.
>
> When the user follows the link, they are told that they are about to be
> sent
> their password (by email) and that it will be valid for 5 mins. The user
> picks up their email, logs in and completes registration.
>
> Now, that seems to me to be a rather drawn out solution.
>
> Has anyone else implemented a solution that is ultra secure but also
> relatively simple
>
> Thanks all
>
> Simon
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Process Cannot access file "file_name" because it is being used by another process Rithesh Pai ASP .Net 1 08-22-2005 03:02 PM
(Win32) Timing out a process while reading process' output? rtm Perl 0 09-27-2004 10:06 PM
A process serving application pool 'DefaultAppPool' exceeded time limits during start up. The process id was '216'. jack ASP .Net 0 08-01-2004 09:49 PM
Are all the signals read in the process should appear in the sensitivity list of the process? walala VHDL 3 09-09-2003 07:47 AM
IT-Security, Security, e-security COMSOLIT Messmer Computer Support 0 09-05-2003 08:34 AM



Advertisments