Sunday, March 25, 2007
Cohen on Howard: Chapter 24
Chapter 24 covers writing security documentation and error messages.
Cohen:
This is nitpicking on the part of Cohen. Yes, security through obscurity is a doomed tactic. That doesn't mean attackers shouldn't have to work for every bit of information. Why should we reduce the attackspace for them by providing them with useful information?
Cohen:
Cohen seems to not only have missed the thrust of this part of the book, but also seems to be labouring under the false impression that Windows passwords are case-insensitive.
This section of the chapter is trying to say that error messages should empower legitimate users to solve problems while not giving away useful attack information. For example, rather than saying "Your password is incorrect." you can say "Your password is incorrect. Remember, passwords are case sensitive." to hint that the user needs to pay extra attention. It does not in any way propose that you say "Your password is incorrect. However, if you uppercased the 3rd letter, it would be correct."
Cohen's line of reasoning would have made more sense had he complained that they told the user the password was wrong -- thus implying that the username was correct and reducing the attacker's work by several orders of magnitude. But he seems to have missed that.
Cohen:
But the problems in this chapter start early. On the second page they tell us not to use security through obscurity, after having told us in the prior chapter not to tell attackers anything.
This is nitpicking on the part of Cohen. Yes, security through obscurity is a doomed tactic. That doesn't mean attackers shouldn't have to work for every bit of information. Why should we reduce the attackspace for them by providing them with useful information?
Cohen:
A few pages later, they tell us to not reveal anything sensitive in error messages, then give us what they think is a good example of telling the attacker that the password they just tried was wrong only because some of the characters were in the wrong case. Of course this eliminates the value of using case sensitive passwords in the first place, telling the attacker a great deal of useful information by reducing the search space by several orders of magnitude, but they seem to have missed that.
Cohen seems to not only have missed the thrust of this part of the book, but also seems to be labouring under the false impression that Windows passwords are case-insensitive.
This section of the chapter is trying to say that error messages should empower legitimate users to solve problems while not giving away useful attack information. For example, rather than saying "Your password is incorrect." you can say "Your password is incorrect. Remember, passwords are case sensitive." to hint that the user needs to pay extra attention. It does not in any way propose that you say "Your password is incorrect. However, if you uppercased the 3rd letter, it would be correct."
Cohen's line of reasoning would have made more sense had he complained that they told the user the password was wrong -- thus implying that the username was correct and reducing the attacker's work by several orders of magnitude. But he seems to have missed that.
