RE: SSL Logout possibility in Javascript from Peter Williams on 2011-07-02 (public-xg-webid@w3.org from July 2011)

From: Peter Williams <home_pw@msn.com>
Date: Sat, 2 Jul 2011 10:43:50 -0700
To: "public-xg-webid@w3.org" <public-xg-webid@w3.org>, <foaf-protocols@lists.foaf-project.org>
Message-ID: <SNT143-w20C0E532F997C802C6B780925A0@phx.gbl>

There is no such think as SSL logout (or login). SSL (at layer 4) not a login/logout protocol. Neither is https (at layer 7). HTTP over http has as login procedure (I think).  SSL a secure channel protocol. Yes, like any connection, the state can be discarded, forcing a new channel. Being a security protocol, the design has a specific connection closure/abort process, since an attacker may seek to hijack connections/sessions. A good contrasting case is iscsi, in which in addition to having connection opening and closing procedures, the protocol maintains multiple session and multiple connections within sessions (for multi-pathing). In addition, unlike SSL or https layer 7 icsci entities can exchange multiple rounbds of login/logoff messages in a login/logoff procedure. Is SSL, this would be known as a login/logoff protocol-of-the-record-layer (where protocol is a defined SSL term). In the early days of SSLv1, there were discussion about transporting the www-auth field as a SSL protocol, rather than where it stayed - in the application data protocol (embedded within HTTP request PDUs). One has to remember the security model. a browser only sees the view of the resource projected by the proxy it works with. Similarly, for an https CONNECT or MITM proxy, it only sees the SSL state shared with that proxy (not that with the resource). You can clear SSL session state all you like in some brower, but dont assume this has any impact on the SSL state of a resource server you APPEAR to be interacting with directly. If you know what you are doing you can apply SSLv2, which provides quite different web semantics to SSLv3+.  There are some downsides to SSLv2 (and someone will no doubt have written up their opinion at wikipedia, right or wrong). There are also some upsides of its semantics.   
 > From: henry.story@bblfish.net
> Date: Sat, 2 Jul 2011 17:00:01 +0200
> To: public-xg-webid@w3.org; foaf-protocols@lists.foaf-project.org
> Subject: SSL Logout possibility in Javascript
> 
> In a conversation on a different mailing list, I discovered that SSL logout 
> may be something that can be offered from the browser.
> 
> Has anyone tried the javascript below?
> 
> Henry
> 
> On 2 Jul 2011, at 16:01, A. Rundgren wrote on a different list:
> 
> > In addition, TLS client-certificate-authentication is at least in MSIE
> > downright user-hostile and requires restart if you do something wrong.
> > There is not even an agreed upon logout scheme for browsers!
> > 
> > Extract from a web-app of mine:
> > 
> >     if (document.all == null) // FF, Opera, etc
> >       {
> >          if (window.crypto) window.crypto.logout();
> >       }
> >     else // MSIE 6+
> >       {
> >          document.execCommand('ClearAuthenticationCache');
> >       };
> 
> Social Web Architect
> http://bblfish.net/
> 
>

Received on Saturday, 2 July 2011 17:44:28 UTC