[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora Community Pre-Beta Testing



Tom "spot" Callaway wrote:
> On 05/13/2009 04:32 PM, Till Maas wrote:
>> I hope this is only misleading, but it looks to me that this test application 
>> demands the original FAS username/password from testers, which are then sent 
>> via an connection where the certificate cannot be easily verified by the 
>> testers. Also it is a bad idea to use these very important credentials in an 
>> application that may still have security flaws, because it is still in 
>> development. Last but not least this is also a bad education for the users 
>> that get used to provide their credentials to untrustworthy websites.
> 
> I'm not entirely sure I follow this logic. Lots of things authenticate
> against FAS. The source code for every bit of this web application is
> open source and available for review. Do you trust Bodhi? How about
> pkgdb? Or koji? Barring some specific security vulnerability (which you
> haven't pointed out), this criticism seems unfounded.
> 
The SSL certificate for all of bodhi, pkgdb, mirrormanager, and fas are
the same.  When you give your password to any of these entities, you are
trusting that single SSL certificate.  The SSL certificate is signed by
a trusted entity whose business it is to assign certificates to
organizations.  Additionally, all of these apps are available from a
common domain name: admin.fedoraproject.org.  So the cookies that hold
your authentication tokens and are passed back and forth to the server
are available to each of those apps anyway.

On the other hand, publictest16 is on a separate server.  The server has
an SSL certificate that's self signed.  Additionally, the server has a
different set of people who can log into it with possibly different
trust than the main servers.

With other servers that we host on publictest machines we have them use
a test instance of FAS.  I'm not sure that that will work with
F-community due to the way it has to tie into a lot of other production
services but it definitely isn't a good idea to encourage people to type
their FAS password into non-production machines.

-Toshio

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]