Guys we also ship the product with admin/admin as the password. I'm willing to bet there are tons of production machines with this unchanged :(.
If the security risk at hand is that someone will leave their machine unlocked and someone else can come in and access the admin console because the session didn't time out honestly for me that's a theoretical problem. Shouldn't the person have a screen saver + lock on their machine?? Any real admin would. I'm +1 for changing the default to 30 mins. The session growth scenario is real but again very unlikely for the console .. many people don't log in at once to a boring server console, even if its as hot as ours! Sanjiva. On Mon, Apr 2, 2012 at 1:18 AM, Amila Jayasekara <ami...@wso2.com> wrote: > On Sun, Apr 1, 2012 at 11:51 PM, Tharindu Mathew <thari...@wso2.com> > wrote: > > > > > > On Sun, Apr 1, 2012 at 9:26 PM, Amila Jayasekara <ami...@wso2.com> > wrote: > >> > >> On Fri, Mar 30, 2012 at 3:34 PM, Dimuthu Leelarathne <dimut...@wso2.com > > > >> wrote: > >> > Hi, > >> > > >> > I am - 0 for this. There are some negative effects of increasing > session > >> > timeout. > >> > > >> > 1) Objects we keep in the session can grow. This will be multiplied by > >> > the > >> > number of users with active sessions > >> > 2) Security risk is marginally increase. > >> > >> I agree with Dimuthu. In default implementation we should ship > >> products with maximum security. If needed users can change security > >> levels by modifying config files. > >> > > I disagree. In default implementation we should ship products with > maximum > > usability. If needed users can change security by modifying config files. > > Hi Tharindu, > > I was not comparing security and usability. Of course the product must > be usable with maximum security. > If we ship the product with medium/low security level, most probably, > users will get to know that, they have to tweak some configurations > in-order to achieve maximum security, only after facing an attack. > Therefore it is better to ship default configurations with maximum > available security. When I say maximum security it doesnt mean user is > not allowed to login. User will get all available functionalities with > maximum security. This is the norm followed by most of other software > products. (Including Operating Systems, such as Windows) > E.g :- > Shipping product with support for only strong SSL ciphers. If a > customer want to support for medium/low SSL cipher, he/she have to > change configurations. But in default configuration, we should only > support strong SSL ciphers, so that an attacker will be unable to > carry out a brute force attack. > > For this particular scenario, one vulnerability I see is, some > UN-authorized user gaining access to management console after keeping > user's machine unlocked for some time. I am not quite sure about the > correct value for the session time. But if we are increasing that > value, we need to reason out the “new value” properly, based on real > usage. > > Thanks > AmilaJ > > >> > >> Thanks > >> AmilaJ > >> > >> > > >> > tx, > >> > dimuthu > >> > > >> > > >> > > >> > On Fri, Mar 30, 2012 at 3:26 PM, Amila Suriarachchi <am...@wso2.com> > >> > wrote: > >> >> > >> >> > >> >> > >> >> On Thu, Mar 29, 2012 at 3:21 PM, Tharindu Mathew <thari...@wso2.com> > >> >> wrote: > >> >>> > >> >>> Hi, > >> >>> > >> >>> Let's do $subject. What we ship by default is a toy value good for > >> >>> running samples. > >> >>> > >> >>> When we are doing some lengthy work it will definitely timeout in > the > >> >>> middle of work and this is really frustrating for users. > >> >>> > >> >>> It should at least be 30 mins IMO > >> >> > >> >> > >> >> +1 > >> >> > >> >> thanks, > >> >> Amila. > >> >>> > >> >>> > >> >>> -- > >> >>> Regards, > >> >>> > >> >>> Tharindu > >> >>> > >> >>> blog: http://mackiemathew.com/ > >> >>> M: +94777759908 > >> >>> > >> >>> > >> >>> _______________________________________________ > >> >>> Dev mailing list > >> >>> Dev@wso2.org > >> >>> http://wso2.org/cgi-bin/mailman/listinfo/dev > >> >>> > >> >> > >> >> > >> >> > >> >> -- > >> >> Amila Suriarachchi > >> >> > >> >> Software Architect > >> >> WSO2 Inc. ; http://wso2.com > >> >> lean . enterprise . middleware > >> >> > >> >> phone : +94 71 3082805 > >> >> > >> >> > >> >> _______________________________________________ > >> >> Dev mailing list > >> >> Dev@wso2.org > >> >> http://wso2.org/cgi-bin/mailman/listinfo/dev > >> >> > >> > > >> > > >> > > >> > -- > >> > Dimuthu Leelarathne > >> > Technical Lead > >> > > >> > WSO2, Inc. (http://wso2.com) > >> > email: dimut...@wso2.com > >> > > >> > Lean . Enterprise . Middleware > >> > > >> > > >> > _______________________________________________ > >> > Dev mailing list > >> > Dev@wso2.org > >> > http://wso2.org/cgi-bin/mailman/listinfo/dev > >> > > >> > >> > >> > >> -- > >> Mobile : +94773330538 > >> _______________________________________________ > >> Dev mailing list > >> Dev@wso2.org > >> http://wso2.org/cgi-bin/mailman/listinfo/dev > > > > > > > > > > -- > > Regards, > > > > Tharindu > > > > blog: http://mackiemathew.com/ > > M: +94777759908 > > > > > > -- > Mobile : +94773330538 > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- Sanjiva Weerawarana, Ph.D. Founder, Chairman & CEO; WSO2, Inc.; http://wso2.com/ email: sanj...@wso2.com; phone: +94 11 763 9614; cell: +94 77 787 6880 | +1 650 265 8311 blog: http://sanjiva.weerawarana.org/ Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
