Security by default or security by design

Topics: ASP.NET 2.0
Jan 20, 2008 at 9:24 PM
Edited Jan 20, 2008 at 9:27 PM
Hi. First of all I want to say "Thank You" for an awsome product.
I really like BlogEngine.NET and I hope that my colleague, which is quite an expert on C# and SQL server, can contribute to the project and to my mine and his blogs. A small thought before I comment on the subject, why not put the files (or everything) in the database (SQL) and only have static files and everything dynamic in the database? My biggest concern about this is with uploaded files and images, there is no browse feature, and with backup/restore.

Now to the subject:
SSL. Why in the year 2007/2008 not choose to use SSL logon by default? All internet connected and from the internet configurable servers should be encrypted by default. This is in my opinion the only really importent design flaw and isn't a modern approach when using such modern technology otherwise.

Yes, I know it's free to use and so on and so forth..... but why not start with security in mind when starting a new project?

Otherwise... thank you again and keep up the good work and I hope to contribute somehow in the future.
I would be very happy with comments on the security toughts.

Regards,
Zeboulon - think about IT - http://Micros0ft.se
Jan 20, 2008 at 11:50 PM
> SSL. Why in the year 2007/2008 not choose to use SSL logon by default?

It's easy to add SSL, simple add an SSL certificate to the web site, set SSL certificate as required via IIS on the login.aspx and administration pages, and modify the login.aspx.cs to redirect to SSL.

Jan 21, 2008 at 4:22 AM
I completely agree... I wrote a couple of articles about using SSL with BlogEngine at http://www.dscoduc.com/?tag=/ssl
Jan 21, 2008 at 6:10 AM
Call me Dutch, but I'd agree if SSL certificates are supplied free of charge by default as well ;-)
Jan 21, 2008 at 6:43 AM
Well, since you are the only one logging into your blog then a custom, selfsigned certificate can be used. Have a look at selfssl.exe for generating a certificate for your blog...

http://www.dscoduc.com/post/2007/10/The-Joy-of-SelfSSL.aspx
Jan 21, 2008 at 6:43 AM
Edited Jan 21, 2008 at 6:44 AM
It is very easy to protect the entire site with SSL, but most people don't want the entire site to be protected, just the admin pages.
This was what I meant.
And using non free 3rd party solutions as SSL redirect as mentioned by mr. dscoduc isn't what I would label as security by default.
It's just a workaround.
So the question remains; why not secure the admin pages by default?

thanks for your thoughts so far anyway.

Regards,
Zeboulon - think about IT - http://Micros0ft.se
Jan 21, 2008 at 6:52 AM
Edited Jan 21, 2008 at 6:59 AM
In addition to Dscoduc's agreeable SSL posts, reinforcing my main point of free certificates, I'd like to add this analogy:

Today's web host providers simply hand us over a virtual, rental, yet unsafe house. They're like insane landlords who provide us folks with a firm roof to keep us dry, some windows to peek in and out, but charge heavily for a lockable door to simply decide who can step in to add or move around our furniture.

When's the last time you'd to pay extra for a brick-and-mortar front and back door with a commodity lock?

So again, I agree with all of you that security must be by design and by default - no argument here at all.
I'm just wondering if BlogEngine.NET should force us to purchase this pretty expensive lockable door.

Thanks Chris for your great reads!
Jan 21, 2008 at 6:58 AM
I agree that it doesn't make sense to encrypt the entire web experience in SSL, rather just the login page. I guess it would be possible to have integrated into the BlogEngine logic that would handle the switch over to SSL when accessing the login and change password pages... Perhaps we could add this to the wish list for BlogEngine. In the meantime I rely on Sanibel Logic's SSLRedirector (http://www.sanibellogic.com/SL/Products.aspx?Cat=ASP.NET) code that handles the redirect from HTTP to HTTPS and back to HTTP based on an config file...

Not to beat my drum too much but I outlined this in my blog entry http://www.dscoduc.com/post/2007/11/Unencrypted-login-to-BlogEngineNet.aspx
Jan 21, 2008 at 7:00 AM
Chris, by all means - keep on drumming! ;-)
Jan 21, 2008 at 7:01 AM
Edited Jan 21, 2008 at 7:03 AM
SELFSSL is nice and as secure as verisign and such.
The point is still that the admin part isn't designed for ssl in thought.
It could be done easily by putting it as a seperate site on the server, for example. Then disable the admin pages on the main site.

/ Zeb
Jan 21, 2008 at 7:18 AM
If you didn't want to purchase Sanibel Logics SSLRedirector then you could possibly edit the login link to point to https://www.myblog.com/login.aspx and then have the return URL be http://www.myblog.com... I would recommend that you look at the SSLRedirector product as it works excellent and handles the switch-over with ease... I have even configured SSLRedirector to switch over to HTTPS on my password maker application https://www.dscoduc.com/pwmaker.aspx...
Jan 21, 2008 at 7:20 AM
And instead of purchasing those expensive Verisign certificates I would recommend you have a look at https://www.dscoduc.com/pwmaker.aspx for free certificates... I was even able to get a cheap wildcard certificate that allows me to use the same certificate for https://www.dscoduc.com and https://forums.dscoduc.com...
Jan 21, 2008 at 10:17 AM
OK... I'm quite confused/shocked about that no one seems to agree with the fact that a modern web-based solution sould be secure by default.
Am I the only one that think this is a serious matter to discuss? Bad coded websites will get hacked in time...

How you get your certificate, free, self-generated or purchased, is not the point, the point isn't either about that you CAN secure it with 3rd party solutions....
The point is still that BlogEngine.NET is such a nice piece of work BUT should be secure by design it self.

/ Zeb
Jan 21, 2008 at 12:35 PM
Zeb, quite an interesting conclusion you draw there. What made you think nobody seems to agree with the "secure by default"-statement?

Cheers
-Mike
Jan 21, 2008 at 2:59 PM
The big problem here is shared hosting. Many host put n number of websites on the same IP so having a SSL cert for a specific domain is not really practical.
Jan 21, 2008 at 3:00 PM


MikevZ wrote:
Zeb, quite an interesting conclusion you draw there. What made you think nobody seems to agree with the "secure by default"-statement?

Cheers
-Mike


Becauce from the first reply to the last, most comments were about workarounds and how to aquire a ssl cert rather then commenting on the subject.

The subject was why the application wasn't designed with ssl in mind.

I meet people from different companies on almost a daily basis who has abolutely no clue about security. Still, in 2008.
For example. A economy/accounting suite which uses "negative security, as I would call it. Everyone who uses it must have write access to the users.file, which holds the user database, but if you rename/delete the file it assumes that you don't want to have security/accounts and gives you admin access to all invoices, salaries, bookeeping etc. That's not designed by security in mind.