ANNOUNCE: Review requests
Enrico Scholz
enrico.scholz at informatik.tu-chemnitz.de
Fri Mar 18 21:17:18 UTC 2005
mattdm at mattdm.org (Matthew Miller) writes:
>> * you need a strong authentication for the actions causing certain actions
>> (e.g. QA decisions leading to package-builds, tickets which will be
>> autobuilt (e.g. updates of "trusted" people)). This is required as an
>> automated packagebuild and -publication process is extremely attractive
>> for attackers (IMO).
>
> Bugzilla *could* have better authentication, though. I believe the auth
> stuff is now all modularized.
GPG signatures are the only reasonable authentication; trusting in
web-based logins in the age of auto-login features in webbrowsers is not
very wise. Simple webbased logins are vulnerable against weaknesses in
the backend and against replay attacks. GPG signatures allow tracking
and validating of already executed actions and you can prevent replay
attacks.
>> * Bugzilla does not have a voting system with authentication
>
> Hmmm. Would this really be helpful?
Ok, with "voting system" I meant a system supporting the QA votes like
"ACCEPT" or "REJECT", and going into the next state. E.g. see page 25
(real: 32) in
http://www-user.tu-chemnitz.de/~ensc/diplom/main-DE-oneside.pdf
(sorry, although image is in english, the rest of the text is only in
german).
>> * Bugzilla is unsafe as authentication happens by a predicatable
>> login_cookie (small integer increased by one at every login).
>
> However, this login_cookie is tied to IP address, so while that's still bad,
> it's not as horrible as it sounds. (Oh, I see comments from you in the
> bugzilla bug about this already.) Anyway, not that I'm volunteering right
> now, but I don't think it'd be a herculean effort to make it work in a Whole
> Different Way.
I am more concerned about the reactions of the bugzilla developers. Their
answers show that they do not understand the underlying HTTP protocol. IP
based authentication must never be used for public HTTP services; you do
not gain any security by it but it destroys functionality.
Enrico
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 480 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050318/e4f39092/attachment.sig>
More information about the fedora-extras-list
mailing list