On Thu, Jun 30, 2011 at 1:10 PM, Rodrigo Rosenfeld Rosas <rr.ro...@gmail.com > wrote:
> ** > I'm still a bit worried about security implications by using OpenID as I > was testing it and figured out it worked on localhost in my development > environment. This means that OpenID is able to work using HTTP redirects > without talking directly to each other. The security implications is that it > is probably trivial to issue a replay attack if you're behind a proxy, for > instance. I didn't investigate this enough for knowing how hard would that > be, but I used to think that necessarily both relying partner and the OpenID > provider would talk directly to each other... > IIRC, in OpenID the consumer server (the Gitorious server) connects to the OpenID provider and they agree on a shared secret (or equivalent) before the user is redirected to the provider site for authentication. Once authentication has been performed, the user is redirected back to the consumer server with enough data in the URL to verify that authentication indeed succeeded (the consumer server will connect back to the server to verify this). One thing the provider will not do is to connect to the consumer while the visitor enters for authentication. The spec [ http://openid.net/specs/openid-authentication-2_0.html] describes the gory details about how this works. > I don't know about Crowd, but I think we should try to understand the > security implications of each authentication method Gitorious is planning to > support... Even if Gitorious decides to adopt some of them, they should > recommend to users some authentication systems that it considers more secure > or something like that... > I would assume most sites running Gitorious on their own will use the default, database-backed authentication, and we should make sure this is a safe choice. I'd also say it's reasonable to assume that people/organizations who need something else do so because the *have* something else - LDAP/AD keep coming up. I would think that most of such existing systems (we're probably talking "enterprise" solutions here) have a reasonable level of security? That being said, I agree that we should be very careful to add support for *any* kind of authentication scheme; OAuth authentication towards Twitter/Facebook come to mind. The same goes for HTTP Basic Auth over HTTP. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com