appengine http secure?

Question

A simple question, I think.

If I use the google users accounts in appengine

from google.appengine.api import users

to authenticate my users, how secure is the rest of my app under http (not https), ie. where are the weak points of such a setup?

Thanks

Answer 1

Assume that anything you send over http can be intercepted and examined by an attacker. This includes whatever token you are storing in their browser to authenticate them - the attackers can see this too, and use it to fake requests.

If this sounds like a "theortical" vulnerability that you don't need to worry about, then you shouldn't do anything that involves safeguarding user data until you read up on FireSheep and understand how it works and how you would prevent something similar. (This is just one example of an attack you need to understand. It is not the only possible attack.)

In short, the weak points of such a setup are all the points where you are using http to send anything you want to keep private.

Answer 2

Your question is unclear, but if you're asking whether authenticating users with Google Accounts on an HTTP app could potentially expose passwords to an attacker, the answer is no.

Even though your app is not using SSL, passwords are never transmitted in plain text. When authentication starts, users are redirected to a secure page at google.com to enter their credentials. Credentials are posted via SSL, and if authentication succeeds, Google generates an authentication token that is passed back to your app and stored in a cookie. The Users API makes an internal RPC to resolve this token back into Google credentials.

The most that an attacker could do is intercept the authentication token and spoof the user for the duration of the token's validity (1 day by default; configurable up to 2 weeks). They would never have access to passwords. To prevent spoofing, you'd need to make sure all logged in activity happens on HTTPS and the auth cookie is never stored via HTTP.