Re: Policy enforcement point

On Monday 2008-02-04 13:32 -0800, Jon Ferraiolo wrote:
> Access Control has a negative from a security perspective in that, if you
> don't implement server-side policy management and leave it to the client,
> then the data comes down the pipe only to be discarded by the client after
> failing the Access Control check, but that means that malicious clients
> (i.e., clients that pretend to implement Access Control properly but don't)
> or man-in-the-middle software have access to the data.  Therefore, if your
> data isn't public, then I would recommend server-side PEP to the web
> community. The basic rule in security is that the server should not blindly
> trust the client, and the client should not blindly trust the server.

Let's not forget what the security threat we're protecting against
here.  The threat that we're protecting against is the threat that a
user has an already-privileged client (where the privileges may come
from being behind a firewall, or from cookies, etc.), and a third
party site (accessed by the same client) uses the privileges already
granted to that client to gain access to protected resources (ones
that the client already has access to).

In that scenario, if the client is malicious, you've already lost.

In that scenario, if you've got a man-in-the-middle attack between
the server and the client, you've already lost.

If you don't trust the client that you've *already* granted
privileges to, you've already lost.

I don't think those issues are relevant here.

-David

-- 
L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/

Received on Monday, 4 February 2008 22:47:02 UTC