I am currently creating a web application for a client using a rich client. (Flex)
In this application, the user has a password, as well as a couple of other key attributes used throughout the system for identification purposes. (For example, things like mother's maiden name).
First, the user logs in with their password. Then, throughout the application, when the user is about to perform a "destructive" action, they must enter one of these other identifying pieces of data.
My client asked me to download these attributes after logging in, store them in memory and validate against this data on the client before making a call to the server that performs destructive actions.
This puts me as a potential security risk, since it is possible (albeit difficult) to trick the web client into receiving this data that is sent through the wire. My client thinks I'm paranoid and convinces me ahead.
Some key points to consider:
- The application is served via HTTPS
- All client / server communications occur via HTTPS
- This data is sent to the client only after the login
- During login, the session is issued with a protected cookie.
Thus, to a large extent, the application is quite safe.
However, my gut tells me that although it can be difficult to crack the data, it is even less secure than if we did not send it and check it on the server at all.
Am I paranoid, or is this a real security risk?
, - , , ?