El Thu, 01-07-2010 a las 20:55 -0600, Daniel Drake escribió: > Child connects to a network, perhaps just to go online outside of > school. The network has an XS. The laptop registers. The journal is > backed up to the server.
Ok, this is a serious security issue. How about asking the user to confirm registration to an unknown server, like ssh does? For slightly improved security, we could hash the ssh fingerprint to a color pair, so the teacher could say "your schoolserver is blue and red, don't register to any other". Sadly, adding this UI requirement means that this feature won't be ready n time for this release :-( > I think the current XO-XS communication is secure enough in the places > where it needs to be. But registration indeed is a big problem and it > could do with a rethink which would probably involve some kind of > key-based auth to achieve the best results in terms of user > experience. Well, communication being secure does not help much if the registration step is fatally flawed. Anyone passing nearby a school can make their computer register to the schoolserver with any made up serial number, then steal all journals, fill up the hard-drive with junk... probably even hijack the schoolserver, as it's a Fedora 9 without security patches, running plenty of scary webapps. We could be plug both this hole and the auto-registration security issue by making laptops receive their private ssh keys from the OATS server and distribute the matching public keys to the schoolserver. The same could be done with SSL client and server certificates. Thanks to your earlier work and Inventario, Paraguay already has all the infrastructure in place to do this, but it's kind of demanding for most deployments, especially those without a centralized anti-theft server. Can you think of a simpler scheme to perform mutual authentication. -- // Bernie Innocenti - http://codewiz.org/ \X/ Sugar Labs - http://sugarlabs.org/ _______________________________________________ Server-devel mailing list server-de...@lists.laptop.org http://lists.laptop.org/listinfo/server-devel