|
»
»
»
Poll + discussion for https option
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
Poll + discussion for https option
by Olaf Kock
::
Rate this Message:
Hi,
you might have seen my earlier post containing the patch to make pebble work with https as secure url - e.g. username/password should be transmitted over https and at least the following session should continue in https. I'd like to see comments of people who would like to use pebble this way: Who has configured their pebble.properties entries "url" and "secureUrl" and does not rely on the standards? Moreover: Who has configured "secureUrl" different than "url"? The reason for this question is that I've introduced a new config option named "httpsWorkaroundEnabled" that triggers some changed behaviour and already I'd like to get rid of it but don't want to cause any unwanted side effects. The current solution (to be committed this evening or tomorrow) is capable of the following: When the new option is set to true, all *.secureActions are transmitted to the configured secureUrl, likely a https url. This includes the login dialogs target, all administrative actions and the other resources like images and css.. All other content on the site is still linked via the regular url. This means that even from administrative pages you can go back to non-secured urls by clicking one of the ordinary navigation links like "home" or any other article link. (provided your ordinary blogUrl is http, not https) I'm wondering about at least this question: * Even though it's just introduced, there should be another more elegant way to implement this but with a "workaround" config option. I was thinking about determining "if the blogUrl is http and the secureUrl is https the option is triggered". Can anybody think of counterexamples? Does it break anything anybody is already using? Please let me know. Cheers, Olaf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by David McLure
::
Rate this Message:
Hi Olaf,
> you might have seen my earlier post containing the patch to make pebble work > with https as secure url - e.g. username/password should be > transmitted over https and at least the following session should continue in https. > I'd like to see comments of people who would like to use pebble this way: I've been following along here a little and while I haven't tried any of your recent additions yet, I would be very interested in this sort of feature as I am looking at creating some secure applications which would benefit from the ability to incorporate a secure Pebble for posting news and private community discussions, etc. Let me know if you need a proving ground for your work or anything. David McLure (aka "dav0") ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by Olaf Kock
::
Rate this Message:
David McLure schrieb:
> I've been following along here a little and while I haven't tried any > of your recent additions yet, I would be very interested in this sort > of feature as I am looking at creating some secure applications which > would benefit from the ability to incorporate a secure Pebble for > posting news and private community discussions, etc. > > Let me know if you need a proving ground for your work or anything. Thanks, I'm tempted to ask what you mean with "a secure pebble" - as you are posting in reply to my https question I'm assuming that this applies to secure communication. In other aspects (like disallowing scripting in templates and jsps) I very much appreciate the decisions Simon has made securitywise, so that a compromised login or a malicious user would not lead to the server turning into an attacking machine. If anyone knows of other attack paths, please let me (or us) know. The patch I've posted earlier has just been committed to svn and is available there. Now pebble does more than before in terms of securing communication, but there are still issues, although they are certainly of minor importance than the issues just fixed. Username and password may travel via https, but the session cookie belonging to the authenticated session is still transmitted either via https or http - that means, one is still prone to session hijacking once logged in (which is far better than password hijacking, but still not too good). If you'd like to test the current version and see if it fits your privacy needs, pls go ahead. I'm not yet familiar with the nightly build mechanics, so you'd have to go to svn and compile for yourself. The current revision is 413, svn information is linked on http://pebble.sf.net/ Cheers, Olaf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by David McLure
::
Rate this Message:
> I'm tempted to ask what you mean with "a secure pebble" - as you are
> posting in reply to my https question I'm assuming that this applies to > secure communication. In other aspects (like disallowing scripting in > templates and jsps) I very much appreciate the decisions Simon has made > securitywise, so that a compromised login or a malicious user would not > lead to the server turning into an attacking machine. Yes, I am well aware of the use of Spring Security (formerly Acegi) in terms of securing Pebble, but was instead referring to the use of https in encrypting the transmission of data to and from the user. I plan to start running more of my servers over https by default, to help patch potential security holes, so I am glad to hear that you are addressing improvements in the support of https on Pebble. -dav0 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by Olaf Kock
::
Rate this Message:
David McLure schrieb:
> I plan to start running more of my servers over https by default, to > help patch potential security holes, so I am glad to hear that you are > addressing improvements in the support of https on Pebble. Hi David, hi all, sorry, I feel I have to comment on this, as it touches problems, that I'm trying to raise awareness in. This probably is not an answer to your post and does not say that you've got it wrong. I just feel that your statement has some potential for misunderstanding and should be commented if someone finds it in the archives. Actually, this seems to lead to the discussion I asked for :) Https does /not/ patch security holes. In fact, it might as well create new ones or at least make existing ones more serious. Https is only about transport layer security, there is no application security whatsoever involved. https is about two factors: * Encrypting the connection * Authenticating the server to the client (e.g. the clients know for sure whom they are communicating with. (with client side certificates a third bulletpoint would be authenticating the client to the server) I'm currently preparing an in depth article on this topic that should soon be posted to http://www.olafkock.de/ (in english), getting somewhat deeper into this issue. Security holes in applications using https are even worse than security holes in http applications because users are lulled in false security. There's that cozy yellow or green bar that everybody has been told to trust. Transport layer security ensures that all security holes (e.g. cross site scripting attacks) are transferred to you in a secure - encrypted and authenticated - manner. That means, you can be /sure/ who delivered an attack to you: it's the authenticated server. In an unrelated side note to get on topic for the Pebble mailing list: Pebble - even without my last patches - is fine for pure https usage. The problems I'm working on stem from mixing https and https delivery. Cheers, Olaf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by David McLure
::
Rate this Message:
> sorry, I feel I have to comment on this, as it touches problems, that
> I'm trying to raise awareness in. This probably is not an answer to your > post and does not say that you've got it wrong. I just feel that your > statement has some potential for misunderstanding and should be > commented if someone finds it in the archives. > > Actually, this seems to lead to the discussion I asked for :) I would agree that my statement has some potential for misunderstanding, but that might kill the budding discussion, so I won't. :-) > > Https does /not/ patch security holes. In fact, it might as well create > new ones or at least make existing ones more serious. > etc. etc. Honestly, I have no arguments with any of your points here as they are all quite true. I tried to follow your link, but my German isn't so gut. I will add that sending data in clear text over http is like sending a postcard versus a letter. Since that is a boring analogy I will go a step further and say that it is like having your secure session data personally delivered by a naked fat man streaking through the streets at night - nobody will probably bother to look out their windows to see him and your session data because it would require a window with a full view of the street, and anyone who peeked probably wouldn't see much of him or your session in the dark anyway, but the fact is that the potential for abuse as well as the consequences of having your data compromised still exist. Gotta love that analogy! :-) To summarize (for the sake of the archives), there are many facets to security. It doesn't do much good to have an impenetrable front door when, like a Monty Python episode, there are no walls. Similarly, it doesn't make sense to focus on top secret passwords alone, when once the password has been entered, your entire life story is broadcast over a hurricane siren to the entire world. When it comes to http versus https, it can be a little like that. -dav0 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
|
|
Re: Poll + discussion for https option
by Olaf Kock
::
Rate this Message:
Hi,
short answer before starting to work - David McLure schrieb: > Honestly, I have no arguments with any of your points here as they are > all quite true. I tried to follow your link, but my German isn't so > gut. The article is not there yet. Once it is, it will be in english. Most of the stuff on the site is in german though, as it is just personal rambling. Technical stuff is more likely to be either in english or both languages. > I will [...] say that it is like having your secure session data > personally delivered by a naked fat man streaking through the streets > at night [...] > > Gotta love that analogy! :-) I will /so/ shamelessly steal this analogy :) Thanks - now I'm sitting here in the office with this image in my head and try to start working... Cheers, Olaf ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Pebble-user mailing list Pebble-user@... https://lists.sourceforge.net/lists/listinfo/pebble-user |
| Free Forum Powered by Nabble | Forum Help |