On Thu, Jun 08, 2017 at 22:37:34 -0700,
Ken Tanzer <ken.tanzer@gmail.com> wrote:
>
>My approach was to have the initial connection made by the owner, and then
>after successfully authenticating the user, to switch to the role of the
>site they belong to. After investigation, this still seems feasible but
>imperfect. Specifically, I thought it would be possible to configure such
>that after changing to a more restricted role, it would not be possible to
>change back. But after seeing this thread (
How are you keeping the credentials of the owner from being compromised? It
seems if you are worried about role changing, adversaries will likely also
be in a position to steal the owner's credentials or hijack the connection
before privileges are dropped.