Web Profile and security

Tom McGlynn Thomas.A.McGlynn at nasa.gov
Wed Dec 15 11:11:13 PST 2010 

Hi Mark,

I'm a bit confused as to whether HTTPS really does what we want. 
Since I don't know enough to frame this question succinctly let me set 
things up to clarify what bothers me.

Let's suppose we have a situation where we have two SAMP enabled 
applications that are talking to each other using the WebSAMP hub.
At least one of these applications is a Web application (we're only 
going to talk about that one and the hub in fact).

If we add the browser there are four 'applications' that are 
collaborating here.

For simplicity, I assume that the user explicitly starts the hub 
(though it would be nice if a Web application could autostart the hub 
the way Aladin or TOPCAT do.  Perhaps this would be possible with a 
browser plugin).

Next the user uses FireFox to open a SAMP-enabled database query page. 
  This automatically looks for a hub to connect to at the standard 
port.  It's here that I gather we need to think about http or https?

If it's just an HTTP request I think I follow what can happen.  The 
page sends information to the hub and then can poll for updates and 
make additional posts to send messages.  All is good.

So let's suppose we are thinking of doing this as an HTTPS connection.
Normally in an HTTPS connection, the browser is attempting to connect 
to a certified service.  The browser/client looks at the service's 
certificate and if satisfied proceeds with the connection.

However if I'm understanding what Ray is suggesting, we're really 
inverting this process.  The Web application is nominally the client 
in the process where it connects to the hub, e.g., it's a JavaScript 
processing that's using XMLHttpRequest invocations of something like:
    https://localhost:99999/
to start communications with the hub.  So in this case it's the client 
that we want to certify not the hub (which the user started and 
presumably trusts).

So if I've understood this properly I'm confused as to whether https 
is designed to address the case where we have a trusted server (the 
SAMP Web hub), but an untrusted client (the web application).  All of 
my experience with https has been in the opposite situation where the 
client (the web browser) is trusted, but the server (the remote web 
page) is not.

Now I see some web hits on client certification, but they quickly seem 
to descend into jargon I can't follow so I gave up.  If someone could 
clarify I'd appreciate it.

     Regards,
	Tom

Mark Taylor wrote:
> Hi all,
>
> following my Web Profile presentation at the Interop, I chatted to
> Ray Plante a bit about security.  He thinks that it would be a good
> idea for the hub to pay attention to signed certificates.
> In this scenario, the hub has a certificate bundle
> and accepts HTTPS requests as well as HTTP ones
> (on a separate well-known port?).  When a request to register
> is received and the hub asks the user for confirmation
> (via a popup or whatever), then the hub should make clear
> to the user whether the request was signed, and
> whether the CA is from its trusted certificate bundle or not.
> It should perhaps issue to the user an extra-scary warning for
> clients which cannot be authenticated as from a trusted source.
> This gives the user a better idea about whether to trust the
> registering tool/page with the user privileges entailed by SAMP
> registration.
>
> A given hub implementation would need to get its certificate bundle
> from somewhere; putting an IVOA-approved bundle together sounds like
> a job for GWS (maybe they already have one?)
>
> This sounds reasonable to me in principle.  However, I'm very
> ill-informed about certificates and security in general, so my
> understanding of the issues is pretty sketchy - quite possibly there
> are howlers in the above summary which show off my ignorance.
>
> Questions which occur to me:
>
>    - how much harder does this make hub implementation?
>
>    - how hard is it for client authors to make HTTPS requests
>         in the various target languages (JavaScript et al.)?
>
>    - will there be performance issues?  cryptography can be slow,
>         and often SAMP involves a lot of short messages
>
>    - do the three sandbox-busting technologies currently proposed by
>         the Web Profile work with HTTPS?  (I think the answer is yes,
>         but I wouldn't bet on it).
>
> there are probably other questions too.
>
> Can anybody comment on whether they think this idea is sensible
> and/or necessary and/or practicable, or add anything else they
> think is relevant?  I believe that Luigi already uses https
> connections with SAMPy, so his perspective will be particularly
> valuable.
>
> Mark
>
> --
> Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
> m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/

More information about the apps-samp mailing list