On Wednesday, February 6, 2013 at 7:22 PM, mar...@v.loewis.de wrote: > > Zitat von Jacob Kaplan-Moss <ja...@jacobian.org (mailto:ja...@jacobian.org)>: > > > On Wed, Feb 6, 2013 at 5:45 PM, <mar...@v.loewis.de > > (mailto:mar...@v.loewis.de)> wrote: > > > I see. Still, it's not a problem at the moment; "python.org > > > (http://python.org)" does not issue > > > cookies. Even for the new site, it should be possible to find a secure > > > solution > > > that doesn't involve shutting down packages.python.org > > > (http://packages.python.org). > > > > > > > > > Sadly, the only "secure solution" would be to not issue cookies, i.e. > > have no login components, and that's not what's required of the new > > site. > > > > > Why is that? If the issue is for "www.python.org (http://www.python.org)", > then packages.python.org (http://packages.python.org) > cannot steal it, can it? > >
Session Fixation. > > > So something's gotta give here. Our options are basically: > > > > * Don't launch the new site as spec'd; revise the scope to be > > completely static and have no login components. > > > > * Make packages.python.org (http://packages.python.org) strip javascript > > and quite possibly certain > > HTML as well (I think it has to strip forms to prevent CSRF, but I > > haven't thought that through completely). > > > > * Move packages.python.org (http://packages.python.org) to a new TLD. > > There are certainly more options: > - don't use cookies 1: use basic auth instead > > Horrible UX, hope you didn't want CSRF protection either because you throw that right out. > - don't use cookies 2: use TLS session IDs instead > > Pretty sure these are passed cleartext, hope you didn't want your sessions MITM'd > - don't use cookies 3: use X.509 certificates instead > > Hope you didn't want CSRF protection, Also hope you didn't want PyPI protected from session fixation. Or if you're moving PyPI to X.509 certs too have fun supporting all those users. > - move the login site to a new TLD (e.g. python-cms.org > (http://python-cms.org)) > > Hope you didn't want CSRF protection on python.org, or any of this protected against PyPI. > > I'm not saying that all these options are practical, I'm just pointing > out that there are definitely more than the three you've mentioned. > > "Move to a new TLD" is much better than "tell people to go elsewhere", > though. > > Regards, > Martin > > Instead of trying to preform gymnastics to keep packages.python.org just keep it as is and move it to a new domain. It's simple, it's effective, and it doesn't require horrible bandaids that don't completely solve the issue anyways.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
