----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Gabriel Cardoso" <gcardoso(a)redhat.com>,
keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 7 August, 2013 12:39:52 PM
Subject: Re: [keycloak-dev] Avoid older user agents?
On 8/7/2013 4:45 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Gabriel Cardoso" <gcardoso(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 6 August, 2013 5:04:39 PM
>> Subject: Re: [keycloak-dev] Avoid older user agents?
>>
>> For SSO login, we should support as old as possible (no javascript,
>> backward compatible to HTML 4? 3? 2? I don't know you tell me....).
>
> HTML4 transitional is fine, pretty much covers 99.9999% of browsers in use
> today. We can use JavaScript as long as it's progressive enhancements (for
> example autofocus or placeholder replacement). The biggest issue is around
> css/style and testing that it's "pixel perfect", there's several
websites
> out there that can help with this. There may be an official list of
> browsers Redhat supports, but I would think recent versions of Chrome,
> Firefox, Safari, Opera (these are all generally updated and there's very
> few old versions around). For IE6 is announced dead by MS themselves, and
> IE7 has a relatively low usage, so I would think IE8 is sufficient. That's
> not to say it won't work with older browsers, it may just look a bit crap.
>
>>
>> For admin UI, we can be more restrictive, IMO. The admin UI, is not
>> just a UI though. It is a set of REST services that can be called from
>> javascript (or whatever langage/platform you want). For security
>> reasons we might want to restrict the types of browsers that can make
>> these REST requests.
>
> I'm wondering if limiting on agent header is false security as it can be
> easily changed.
>
I was thinking more of XSS. If somebody has logged into Keycloak with
an old browser. We're protecting the user, not preventing a direct
attack. Am I right here?
XSS is what I'm thinking about, as the malicious code could just set the user-agent
header on any XHR requests to mimic a new "safe" browser. BTW I'm not expert
and I'm just speculating ;)
> Checking user agent before setting HttpOnly is also IMO not necessary as
> most browsers do (in fact IE does all the way back to 6 and Firefox to
> 3!). Anyone that still uses a browser that doesn't support it today are
> using a heavily out of date (and unsupported browser) so it will be
> riddled with vulnerabilities in any case.
>
No, we would always set HttpOnly. The cookie spec allows for arbitrary
values.
Sorry, I worded that incorrectly. I meant that we could just create the cookie in any case
(always with HttpOnly) as it seems to me that >99% browsers are covered.
A browser that is very vulnerable to XSS attacks might not even need a cookie to get the
required info?
I just think its so important to think of any security vulnerability and
close it up. If we get one security hack, our credibility takes a huge hit.
IMO if someone uses an old browser with known vulnerabilities it's the browser that
was hacked, not Keycloak. I guess this is the meat of what I'm trying to say.
What about a warning message on the login screen if someone uses an old unsupported
browser?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com