October 26, 2010

Protect the flock (or how to mitigate the effects of HTTP session hijacking without using SSL)

So this thing called Firesheep is making a splash the past couple of days. It's a Firefox plugin that lets you hijack HTTP sessions on open WiFi networks (which presumably are NATed, hence trying to use the client IP address as extra authentication doesn't work).

It's possible to mitigate the scope of this kind of session hijacking significantly without resorting to tricks that break the back button. A note about what "mitigate" means here: we're on an open network, so any traffic from the server to the client can be spied on, and since we don't want to break the back button by using one-time information, any GET request that is made by the client can be spied on and repeated by the hijacker. However, the hijacker won't be able to make GET requests to URLs that she hasn't yet spied on, and will be unable to make POST requests.

So how does this work? I'm assuming the initial login is done over HTTPS, during which time the server sends the client a shared secret that the client then stores locally (window.name, Flash LSO, or localStorage). When a client wants to GET a URL, she rewrites it (this can be done using JavaScript on onload, for example) with a query parameter that is a hash (SHA1 in JavaScript, for example) of the secret concatenated with the URL. The server then verifies the hash before responding to the request. POST requests are handled by performing the same hashing on unique server-generated form identifiers (you're already using these to prevent duplicate form submissions, right?).

That wasn't so hard. Let me know if you see any problems with this scheme, or know of a better way.

October 19, 2010

Various Lisp news

I've put uri-template and Eager Future on github and did some work on both.

uri-template got a new release, and now uses named-readtables to provide a modular way to use reader macros. I think named-readtables is a really big deal; if your library defines reader macros, start using named-readtables today. Once it is widely adopted, named-readtables can be used to facilitate things like a global move to readtable-case :invert.

I'm working on some really interesting features for Eager Future, but I'm getting stumped by how finalizers and thread-interrupt interact in SBCL. Any help appreciated (I've posted the problem description to sbcl-help).

I've mentioned CL-JavaScript before, and it's cool to see similar projects. Justin Grant did a toy Ruby to Common Lisp compiler that (no surprise) is a lot faster than Ruby at calculating factorials. The source code is a good illustration of why Common Lisp is the ultimate language implementation language.

In local news, Montreal Clojure user's group will be hosting their first meeting October 26 (details).

In less Lisp-related news, Foulab is hosting a demo party November 27.