I have found myself in the middle of depressing discussion about XSS. A security company released scary video how it is used in practice to hijack admin session. And the reactions? As usual.

"This won't happen with $magicunicornframework, ain't no shitty PHP."

"Easy, just tie it to user's browser version, system version, IP address, geo location, shoe size...."

"That's banal bug, we only need proper sanitation of user input."

As it happens to me more and more often recently, such situations ring my "let's invent us an profitable hard problem" sense. In this case.. really there is no option how application A running on computer AA can uniquely authenticate to application B running on server BB? I thought this is solved problem in crypto, we have Diffie-Hellman, PKI,...

But it's impossible when A may run rogue code and access these secrets! We can't do much about it!

Oh really, then why do you have that shit code manage secrets?


I can't believe no one ever thought of a way for browser to authenticate a session without giving out secrets to anyone, including javascript. It would be really worthwhile addition to HTTP protocol... but let's instead do compression and pipelining and whatnot. Actually it goes way back to the beginning, when HTTP login authentication went largely unused because browser vendors forgot to include logout button. Just sad.

Update: got a reply from security company owner, and it's really symptomatic:

Nonsense. We have so much work that we'd like to solve interesting problems and not trivial bullshit. And there are many more areas that need better security. Our goal is better internet and I don't know any pentester who has fun to submit same bugs over and over. We also want new challenges and to move on so I believe such bugs will soon really be solved with frameworks, better session management and proper separation of contexts (text, html, javascript, data, css, data from user, data from server, ...)