Any views expressed within media held on this service are those of the contributors, should not be taken as approved or endorsed by the University, and do not necessarily reflect the views of the University in respect of any particular issue.

Computing Systems

Computing Systems

Informatics Computing Staff jottings

Security of shared web services

As the likes of homepages.inf.ed.ac.uk and groups.inf.ed.ac.uk are shared user services, anyone using some sort of authentication/authorisation to restrict access, has to trust the other users of those web services.

A lot of the web’s security model relies on the “same origin policy”.

* https://en.wikipedia.org/wiki/Same-origin_policy

which limits the access scripts have to data (particularly authentication data) served to/from different sites. So if a potential victim is using homepages.inf, but is duped into executing a script from badguy.org, that script would not have access to browser data relating to homepages.inf.

However if the “badguy” script is served by a homepages URL, then it would have access to any other browser data associated with homepages.inf, eg authentication data, as it would be within the “same origin”.

All users of the computing systems are bound by the University’s Computing Regulations

* https://www.ed.ac.uk/information-services/about/policies-and-regulations/computing-regulations

and intercepting and impersonating someone else on a computing system is an offense

* https://www.legislation.gov.uk/ukpga/1990/18/contents

so none of that should be going on our servers, but users of a shared web service, like homepages.inf and groups.inf should be aware of this if they are relying on authentication to limit access to sensitive or important data.

In the future we will probably look at providing equivalent homepages.inf and groups.inf services, where the hostname is unique between users and groups, so each user/group have their own “origin”, but that’s unlikely to happen in the near future.

In the meantime if you are making use of authentication/authorisation on a shared web service and wish to discuss your options, please use the support form

* https://www.inf.ed.ac.uk/systems/support/form/

to contact us.

Neil

Security of shared web services / Computing Systems by is licensed under a

Posted by

Categories

Information

Tags

Previous post

Next post

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Security of shared web services / Computing Systems by is licensed under a
css.php

Report this page

To report inappropriate content on this page, please use the form below. Upon receiving your report, we will be in touch as per the Take Down Policy of the service.

Please note that personal data collected through this form is used and stored for the purposes of processing this report and communication with you.

If you are unable to report a concern about content via this form please contact the Service Owner.

Please enter an email address you wish to be contacted on. Please describe the unacceptable content in sufficient detail to allow us to locate it, and why you consider it to be unacceptable.
By submitting this report, you accept that it is accurate and that fraudulent or nuisance complaints may result in action by the University.

  Cancel