Hi,
Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
Kind regards,
Martijn Brinkers
On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
Hi,
Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
The random hash in the webmail URL is supposed to protect from CSRF or click-jacking attacks by making it harder for an attacker to guess the URL for the actual actions on the webmail application with a possibly active session. Roundcube already has proper protection for POST and Ajax requests. The unique-per-session urls add the missing piece for GET requests.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
~Thomas
On 04/30/2015 11:54 AM, Thomas Bruederli wrote:
On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
Hi,
Enabling use_secure_urls has some side effects which I'm looking at how to solve.
For example, a user might have defined a bookmark to the RC login page (www.example.com/webmail/). This works find just as long as the user is not yet logged in. However if the user is already logged in and the user wants to check whether there is any new mail and therefore clicks the bookmark, an error page with "Access to this service was denied due to failing security checks!" is shown. The user should then click the "click here to try again" link which will redo the request but now with the correct token in the URL. Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
I understand the concept although in practice I think most users would just click the link without understanding the implications. Anyway, it was not criticism from my side just a note.
The random hash in the webmail URL is supposed to protect from CSRF or click-jacking attacks by making it harder for an attacker to guess the URL for the actual actions on the webmail application with a possibly active session. Roundcube already has proper protection for POST and Ajax requests. The unique-per-session urls add the missing piece for GET requests.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
If the secure URLs are enabled, the user can no longer open the webmail page using a general bookmark if the user is already logged-in. You might argue that if the user is already logged-in that the webmail is already open in some page but when you have a lot of open pages you might have forgotten that you already opened a page somewhere. If the user now clicks the bookmark, the failing security checks error message is shown. Is that a shop stopper? no but can be annoying for users who do not understand what it actually means.
Kind regards,
Martijn
On Thu, Apr 30, 2015 at 12:05 PM, martijn.list martijn.list@gmail.com wrote:
On 04/30/2015 11:54 AM, Thomas Bruederli wrote:
On Thu, Apr 30, 2015 at 8:52 AM, martijn.list martijn.list@gmail.com wrote:
[...] Since the GET request is redone but now with the correct token added, to me it looks like checking the URL token for GET requests will not bring additional security because if the user clicks the "click here to try again" link, the request will be done anyway.
That's exactly the point: the user has to CLICK the link -> human interaction required.
I understand the concept although in practice I think most users would just click the link without understanding the implications.
That's actually fine or good enough respectively. We just have to insist on human interaction here and could not facilitate this by doing an automated redirect to the valid session url.
Is it possible to disable the secure URL check for certain pages and/or requests? Perhaps with a plugin? or is it all or nothing?
No it isn't, it's literally all or nothing. But what "certain pages" would you then like to exclude? Once you allow one, you loose protection against click-jacking.
If the secure URLs are enabled, the user can no longer open the webmail page using a general bookmark if the user is already logged-in.
I agree and that certainly is a downside of this improved security measure.
You might argue that if the user is already logged-in that the webmail is already open in some page but when you have a lot of open pages you might have forgotten that you already opened a page somewhere. If the user now clicks the bookmark, the failing security checks error message is shown. Is that a shop stopper? no but can be annoying for users who do not understand what it actually means.
For better understanding we recently changed the wording of the message into """ For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application.
Human interaction is now required to continue.
[Click here to resume your previous session] """
This will probably help to educate the users by properly logging out when leaving the webmail.
Of course we're open to suggestions how to further improve this.
Kind regards, Thomas