your session has expired: the sorry state of web session timeouts

I used to work in a team managing an authentication infrastructure.  It was based on Kerberos.  We went with the default session length of 10 hours.  The idea behind this default was: it's long enough for a work day including breaks, plus a bit.  When stuff stops working because the user has been logged out, they are free to log in again if they really want, but maybe they also appreciate the reminder, that it's time to go home.

The world of web site timeouts, for online banking, or anything finance related, is different.  It's a race to the bottom.  How quickly can you kick someone off the service, and still have them sometimes to achieve the thing they logged in to do?  Because it might not be them!  So better limit the time the not-them has to do stuff.  Or maybe the them lets a not-them take over their session part way through.  So better log them out just in case.

This is all the wrong approach to authentication.  Authentication should give a strong guarantee between two parties, that they are dealing with the other party for real.  Once that is established, it is destructive to start second-guessing it, and deciding that actually it's no good.

Imagine going for a meeting at a business's invitation.  You show id at reception.  You meet your counterpart and go to a meeting room.  Then, every 300 seconds, your counterpart decides to treat you like a stranger again, calling security, and kicking you out.  Why do things online in the equivalent way?

One reason is the custodian liability problem.  Financial services are done as custodian services.  If the custodian releases the assets they're looking after to the wrong party, are they liable?  Reasonably, that could depend on what led to it.  In a workable world, an authentication procedure is designed with a clear division of the responsibilities between the parties, and a trail is recorded at each authentication, and during service use, so that the cause of any bogus authentications can probably be established.  If the user lost control of their device, or exposed their credentials, they have to take the loss.  If it was the custodian service provider's fault, they are liable.

The current world is nothing like that.  Authentication processes are ridiculous from the outset.  No one has control of their own devices.  To the nearest percent, zero percent of people have control of their own smartphones, because that's how they're designed.  To the nearest percent, either zero or one percent of people have control of their own laptop and desktop computers.  You can't build anything on this base, except shitfrastructure.

If a customer gives their logged-in laptop to someone else, and the someone else accesses a logged-in session to steal something, and the session was 25 minutes old at the time, there is going to be a lawyer who argues it.  Never mind that it was the customer's fault: the question will be "would this have been able to happen if the timeout was 15 minutes"?  Well, would it?  And so on, then, all the way to just above zero.

The "logic" is unstoppable.  The only way to have sensible custodian service timeouts is with enabling regulation clearly delineating responsibilities, and therefore liability, and disallowing lawyery arguments like the above.  But that would have to use a strong technical basis for authentication, and the world lacks that.  As well, the world won't be getting that.  So we will continue to live in a world of very short timeouts for anything custodian.


 

Bad timeouts are, of course, just a small part of the much bigger problem of bad authentication.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

7 minute workout: a straightforward audio recording (and two broken google web sites)

Image
 Last year I had a simple rendition of the 7 minute workout routine recorded by a voice artist . I wanted a simple audio track to help get the timings right.  I used to have a good "app" that did it, but that handset died.  Subsequent "app"s have got rubbisher and rubbisher, by having mega-configurable exercise order and making it complicated, with intrusive advertising, by synthesizing unpleasant robot voices instead of simply recording a human voice, and by making everything sound so pumped. Youtube video mmq5zZfmIws is not bad, but they have not been able to resist having ads, and a quick part of the morning routine can not have ads, it's just too tacky.  But one can watch someone doing each exercise and see how to do it properly.  Incidentally, they are at 30M views, also because daily routine.  The track I got recorded, in m4a format, is: https://drive.google.com/uc?export=download&id=1c91iH6XJrfCiItTJErJAmIbNdGuHN0tr (direct download link) https://dr
Read more