[lang]

Present Perfect

Personal
Projects
Packages
Patches
Presents
Linux

Picture Gallery
Present Perfect

OpenID: yes or no?

Filed under: Question — Thomas @ 11:06 pm

2008-6-19
11:06 pm

I remember being really enthusiastic about OpenID when I first learnt about it. I remember trying it out and, as many, being disappointed at the practical use (nobody was supporting it) but hopeful about the idea. I tried it out a bunch of times later, but today I’m still not really using it. I saw an excellent presentation by Simon Willison at Europython last year, but I’m still not using it.

And the reason, at least for the past year, is that I do not know whether the basic model is secure or not. I’ve read lots of pro and con posts, and it’s gone so technical I don’t know who to trust.

If I think about it logically myself, I’d say that I don’t see the difference between the OpenID phishing scenario and the Paypal/bank phishing scenario:

  • Some site uses OpenID and I want to log in
  • said site redirects me instead to a fake site, that looks the same as my real site (either because I use a popular one, or because it actually connects to my real site and presents the same page)
  • Any authentication information I enter on this phishing site is thus known to the phisher

I seem to extract from all I’ve read before that there is a general consensus that this is a real threat, and that OpenID people feel this is not the problem they should be solving – that it is up to OpenID providers to solve this.

But if I were to put online a website that uses OpenID and handwaves phishing problems away to the providers, while simultaneously allowing all OpenID providers, I’d feel bad about teaching my users that it’s fine to follow OpenID links and type in passwords.

So, homework for today – can someone tell me in simple terms:

  1. if there is something wrong with my simple interpretation of the phishing problem, or if it is in fact real ?
  2. What I should be doing if I were to create a website that wants to use OpenID, and I actually care about my users ?

Too much of all of this discussion around OpenID focuses around whether or not it’s OpenID’s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.

Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?

GNOME HIG question

Filed under: GNOME,Question — Thomas @ 8:20 am

2008-6-18
8:20 am

I don’t ask enough programming questions, so here goes one.

I have a glade file with a vtable with 3 rows, and each row contains another table, with 2 columns and a bunch of rows. It shows key-value pairs. I’ve put them in a table so that I can hide table #2 or table #3 in certain conditions.

Now, the second column of each of these tables is not aligned with the other second columns of these tables. Instead, I would like to follow the HIG and “Minimize the number of alignment points in your window” the way is done in this example with “General” and “Action” lining up, or the top 4 dropdown/entry boxes and the icon entry box.

Anyone know how to do this while still allowing me to have 3 separate tables to group my key/values ?

Update: somehow I forgot about GtkSizeGroup (shows me right for hacking at 7 in the morning) and people put me in my place. So, it doesn’t look like glade-2 supports this. Anyone know why ? Do I need to write code to read my glade file and put each label in the size group ?

apache security

Filed under: Hacking,Question,sysadmin — Thomas @ 9:06 pm

2008-6-10
9:06 pm

I had a long discussion today with Arek about file permissions and security. We ended up trying to figure out how the default install of Apache works on Fedora and Debian, and if that is the most secure solution.

So, here’s my understanding of the default config on these two distros in a nutshell:

  • apache starts as root and then drops to a specific user(httpd on Fedora or www-data on Debian)
  • config files are owned root:root with 0644 permissions
  • the default config is secure (doesn’t contain important secrets
  • because of this, it’s not a big deal that any user that can log in to the system can read the config files

So, imagine you want to protect part of your site. You add a configuration parameter to specify which htpasswd file to use, and you make this htpasswd file be owned by root:apache and with 0640 permissions. This way, no one else than root and the apache group can read this file. So far, so good – logged on users cannot read the file and run a cracker on it to guess plaintext passwords of all your users.

So, imagine you now want to add LDAP authentication, and you need to put the plaintext password for your LDAP proxy user. The config hints that you should do something special to protect this:

A bind password to use in conjunction with the bind DN. Note that the bind password is probably sensitive data, and should be properly protected

.

I read this as “make sure that your normal users on your machine can’t read the file that contains this information”. So apache should be able to read it, and (possibly but not necessarily) root, but no one else. So, a logical way for me is to put an include statement in the apache config for a file that is root:apache and 0640, which contains the bind password.

Which got me to thinking – Why is the default apache config not root:apache and 0640 to begin with ?

Arek’s reasoning was that it’s fine for the default config to be more open, and you should know what you are doing (which implies, changing ownership and permissions if you put this password in the main config file). My argument is that it would be more helpful to have the default setup be locked down more, so that putting this plaintext password in that config – a reasonable thing to do when you want to do some more advanced config – does not suddenly make your setup a lot less secure.

So, I’m sure there is a reason why apache (and other daemons) have their config as root:root and 0644 instead of root:$(daemonuser) and 0640. Anyone care to share their opinion on the subject ?

« Previous Page
picture