FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 11-27-2007, 04:14 PM
Toshio Kuratomi
 
Default Our Web Apps and SSL

I've had this in the back of my mind for a while but only looked at it
yesterday. I think we have a potential problem with the way kojiweb is
using SSL. To a lesser extent it affects our TurboGears apps as well.


= Koji =

Kojiweb uses SSL to authenticate the client. This is fine. Kojiweb
then stores a session cookie on the client's machine so the client
doesn't have to go through the auth mechanism on every transaction.
This is also fine. However, kojiweb does not require that this cookie
be sent back to the server via SSL and when you initially hit koji via a
non-SSL connection only the authentication itself uses SSL. koji sends
the session cookie over an unencrypted connection. This leaves koji
open to packet sniffing and man-in-the-middle attacks.


To prevent this we should be doing two things:
1) Set the session cookie's secure flag to True
2) Once logged in, return the user to an https URL rather than http.

= TurboGears =

Our TurboGears apps are all running behind
https://admin.fedoraproject.org so they have to use an SSL link in order
to pull up content. However, the plain http link is active; it just
redirects to the SSL page. This means that if you log in and then
explicitly request a plain http URL the session cookie will be returned
to the server over an unencrypted connection. This is not too bad as
the TG servers should be setup to return https links (so someone would
have to actually change the URL to http after logging in) but it is a hole.


I sent an email last month to say that we'd be upgrading to TG-1.0.3 to
close this hole but dropped the ball on actually doing the upgrade.
I'll be doing that today; please let me know if you experience any
strange problems with your web application and we'll try to work out if
it's TG-1.0.3 related.


-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 11-27-2007, 06:13 PM
Toshio Kuratomi
 
Default Our Web Apps and SSL

Toshio Kuratomi wrote:
I've had this in the back of my mind for a while but only looked at it
yesterday. I think we have a potential problem with the way kojiweb is
using SSL. To a lesser extent it affects our TurboGears apps as well.


= Koji =


Ticket opened with a patch for one of the two portions of the fix:
https://hosted.fedoraproject.org/projects/koji/attachment/ticket/64


= TurboGears =


TurboGears upgraded on the app servers and all apps have been restarted
with a config file to set the secure flag in the cookie. Let me know if
this breaks anything.


-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 03:14 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org