Thursday, January 14, 2010

CEA now supports secure Web URIs

During web collaboration sessions there was the potential for the web session to be ‘snooped’. The CEA 1.0.0.1 release took steps to resolve this. Now a random number is generated and provided as a way to prevent session snooping through man-in-the-middle attacks. The number is injected at the end of the 'invitation link' or URI that is generated and used for collaboration. When the 'invitation link' is generated a random number, called a 'nonce' is also generated and appended to the URL.

For example: http://s1.suq.hal.com/PlantsByWebSphereAjax/cobrowse.html?cea_collab=s1.1255561449053.0_2&nonce=-1554841135

is the URI User2 received from User1. User2 will paste in a browser to start the Web collaboration. User1's collaboration session will compare the nonce number value to the generated value, and if they match, the session is instantiated and Web collaboration is established.

1 comment: