[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Our Web Apps and SSL



I've had this in the back of my mind for a while but only looked at it yesterday. I think we have a potential problem with the way kojiweb is using SSL. To a lesser extent it affects our TurboGears apps as well.

= Koji =

Kojiweb uses SSL to authenticate the client. This is fine. Kojiweb then stores a session cookie on the client's machine so the client doesn't have to go through the auth mechanism on every transaction. This is also fine. However, kojiweb does not require that this cookie be sent back to the server via SSL and when you initially hit koji via a non-SSL connection only the authentication itself uses SSL. koji sends the session cookie over an unencrypted connection. This leaves koji open to packet sniffing and man-in-the-middle attacks.

To prevent this we should be doing two things:
1) Set the session cookie's secure flag to True
2) Once logged in, return the user to an https URL rather than http.

= TurboGears =

Our TurboGears apps are all running behind https://admin.fedoraproject.org so they have to use an SSL link in order to pull up content. However, the plain http link is active; it just redirects to the SSL page. This means that if you log in and then explicitly request a plain http URL the session cookie will be returned to the server over an unencrypted connection. This is not too bad as the TG servers should be setup to return https links (so someone would have to actually change the URL to http after logging in) but it is a hole.

I sent an email last month to say that we'd be upgrading to TG-1.0.3 to close this hole but dropped the ball on actually doing the upgrade. I'll be doing that today; please let me know if you experience any strange problems with your web application and we'll try to work out if it's TG-1.0.3 related.

-Toshio


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]