Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Luca Filipozzi lfili...@debian.org wrote: Please recall our recent email regarding the moinmoin [1] vulnerability [2] and the penetration of Debian's wiki [3]. We have reset all password hashes and sent individual notification to all Debian wiki account holders with instructions on how to recover (and thereby reset) their passwords [4]. More technical details about the attack are available [5]. [snip] Thanks, I just reset the password on my account only to realize that SSL is not being used by default on wiki.d.o. Surely this will be fixed in the very near future? Off to change my password again, -JLG -- Jeremy L. Gaddis e: jlgad...@gnu.org Network Engineer m: +1.812.865.0581 PGP: 0x95E2C8FE w: http://evilrouters.net -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107000808.ga10...@hq.evilrouters.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote: * Luca Filipozzi lfili...@debian.org wrote: Please recall our recent email regarding the moinmoin [1] vulnerability [2] and the penetration of Debian's wiki [3]. We have reset all password hashes and sent individual notification to all Debian wiki account holders with instructions on how to recover (and thereby reset) their passwords [4]. More technical details about the attack are available [5]. [snip] Thanks, I just reset the password on my account only to realize that SSL is not being used by default on wiki.d.o. Yes. :/ Surely this will be fixed in the very near future? DSA and DWA are in discussion about enforcing encryption at all authentication points. We're currently debating the pros/cons of using a commercial SSL cert vs a Debian SSL cert. Given the dubious value of commercial certificates, I'm in favour of the latter but I appreciate that some users will find the browser warnings to be confusing. OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? Thanks, Luca DSA = Debian System Administration Team DWA = Debian Wiki/Web Administration Team (my coinage) -- Luca Filipozzi Member, Debian System Administration Team -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107014149.gb13...@emyr.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
Le Mon, Jan 07, 2013 at 01:41:49AM +, Luca Filipozzi a écrit : OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? Hi Luca, how about Debian Single Sign On (https://sso.debian.org) ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107020217.ga31...@falafel.plessy.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Luca Filipozzi lfili...@debian.org wrote: On Sun, Jan 06, 2013 at 07:08:08PM -0500, Jeremy L. Gaddis wrote: Thanks, I just reset the password on my account only to realize that SSL is not being used by default on wiki.d.o. Yes. :/ Surely this will be fixed in the very near future? DSA and DWA are in discussion about enforcing encryption at all authentication points. We're currently debating the pros/cons of using a commercial SSL cert vs a Debian SSL cert. Given the dubious value of commercial certificates, I'm in favour of the latter but I appreciate that some users will find the browser warnings to be confusing. Coincidentally, I'm taking a break from rolling out a new (internal only) PKI infrastructure at $work to write this e-mail. Enforcing encryption at any/all authentication points is something that, I hope, should not even need discussing. It should be enabled at any such points. If money wasn't a concern, I'd be in favor of rolling out commercial certificates everywhere simply to avoid any of the browser warnings. I'll admit ignorance when it comes to not knowing how or where Debian uses SSL certificates on public-facing infrastructure (although a quick check seems to indicate SSL isn't enabled on www.d.o), but I see no reason why certificates signed by SPI's CA (whose certificate is included in ca-certificates) could not be used. Alternatively, perhaps certificates from CAcert.org for public-facing services (does anyone besides Debian include their root CA certificate) and certificates from a private CA for use on Debian internal services? Obviously, there are a number of things to consider; I'm simply tossing out ideas at this point. OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? Agree. Being technical folks, I would guess that a large number of Debian users *do* understand the basics of PKI and why a certificate signed by a commercial CA is not technically more secure than one signed by a private CA. For those who don't, well, they should be able to understand why after ten minutes of reading. -- Jeremy Gaddis -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107024611.gb10...@hq.evilrouters.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
* Charles Plessy ple...@debian.org wrote: Le Mon, Jan 07, 2013 at 01:41:49AM +, Luca Filipozzi a écrit : OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? how about Debian Single Sign On (https://sso.debian.org) ? Unfortunately, that is not an option for everyone at this time. From http://wiki.debian.org/DebianSingleSignOn: The web password single signon method only works for Debian Developers. While I may make a few contributions here and there, for example, I am not a DD. I would suspect there are a great number of wiki editors, for example, that are not DDs. I am not sure if wiki supports Debian SSO or not. If not, hopefully that support will be added in the future. In the meantime, however, requiring encryption when logging in to any site is a good idea. Actually, I'll go one step further and say that *not* requiring encrypted authentication is a *very bad idea*. -- Jeremy Gaddis -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130107025232.gc10...@hq.evilrouters.net
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Mon, Jan 7, 2013 at 8:08 AM, Jeremy L. Gaddis wrote: Thanks, I just reset the password on my account only to realize that SSL is not being used by default on wiki.d.o. As you found out, there is SSL available but not enforced. I strongly suggest installing xul-ext-https-everywhere and xul-ext-https-finder, which will maximise your use of SSL. There will be times you need to disable SSL for certain sites or parts of sites. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6G5Y2dNsTK2dWQvF1dKVKSaPZRhCAEj=+azosjjomy...@mail.gmail.com
Re: Lack of SSL for Debian Wiki login (was: Re: wiki.debian.org password reset)
On Mon, Jan 7, 2013 at 9:41 AM, Luca Filipozzi wrote: OTOH, I'd argue that if one wishes to maintain content at wiki.debian.org, then one should understand the basics of PKI. What do you think? Many of the Debian wiki editors are there to translate content to their own language. Some of these don't use Debian, some do. I don't think translators should need to learn about PKI to contribute. Only if we use a CA that is trusted by their browsers will we be not affecting anyone. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6EehMEF5ku=_g4pb4ucyntbv3r4e9scgxbqabrkp_o...@mail.gmail.com
