BrianR's Trip to Rootfest 2000

Summary

Brian Ristuccia will be presenting a cross-host authentication system for Intranets and large multihost web sites which allows users to authenticate securely with multiple potentially rogue remote sites using the same login and password. The system works with unmodified versions of almost every web browser including Netscape Communicator, Internet Explorer, Mozilla, Lynx, and w3m. Also, discussion about how malicious hyperlinks and scripts in on third party web sites, HTML email messages, IRC, and messaging clients can be employed to abuse other already authenticated sessions in popular browsers and how sites can defend against these attacks.

Brian Ristuccia spoke on circumventing censorware, filtering proxies, and government firewalls at last year's RootFest. Brian has been continually involved in anti-censorship and computer security research since 1994, and has published software and instructions for disabling the integrated PICS censorware in popular web browsers. He is an undergraduate computer science student at the University of Massachusetts Lowell and an employee of Nortel Networks.

Photos

• Courtesy of b3l33t
  • June 15th - RootFest [day 2]
  • June 16th - RootFest [day 3]
  • June 16th - Downtown St. Paul
  • June 16th - Post LameFest... er RootFest Party...
  • June 17th - Raspberry's House
• Courtesy of Jose Nazario
  • rootfest 2000, minneapolis, mn june 13-17, 2000

Software

• nph-401.cgi - Intended for use as an Apache error document for 401 authorization required. This script, when called with no options, will redirect the user to the authorization URL http://login.978.org/login.cgi?url=http://url.that.authorization.was.required.for.example.com/ which, if all goes well, will retirect the user back to nph-401.cgi with two comma seperated options, the first being the authorization token, and the second being the original URL. The script will then generate output that will set the authorization cookie to the authorization cookie and redirect the user to the page they had originally tried to visit.
• login.cgi - If the user authenticates with the login server successfully, this script updates the authentication token database and then redirects the user to nph-401.cgi to set the cookie and make the final redirect to the page where authentication was required.

Apache Configuration Stuff

# Redirect 401's to the nph-401, which will actually do a 302 ->
# login.978.org
ErrorDocument 401 /nph-401.cgi

<Location / >
 AuthType Basic
 AuthName "978 Events Page"
 AuthDBUserFile /home/osiris/978/html/login/authdb/events.978.org
 require valid-user
 AuthCookieName tollhouse
</Location>

<Location /nph-401.cgi>
 Allow From All
 Satisfy Any   
</Location>