Mailinglist Archive: opensuse-buildservice (351 mails)

[Andreas Bauer <abauer@xxxxxxx>]

Peter Poeml schrieb:
> On Fri, Jul 25, 2008 at 07:28:18AM +0200, Adrian Schröter wrote:
> > Am Donnerstag 24 Juli 2008 18:02:35 schrieb Reinhard Max:
> > > I have two suggestions for improvement that should be easy to
> > > implement besides the general redesign:
> > >
> > > 1. Put the input fields for the login credentials directly on the
> > >     front page, in place of the "Login" part of the current combind
> > >     "Register | Login" link.
> > For security reasons, the credentials are not handled by the same server. 
> > Actually, the server rendering build.o.o does never see the password. 
> > Therefore it would be not really easy/possible in secure way to implement 
> > this.
>
> I fail to see how this matters. The one that sends the password is
> always the client. If it gets the form from build.opensuse.org is
> irrelevant. Getting the form from there is as secure, as clicking on the
> tiny link in the top right corner is "securely" leading to the right
> login form on some ichain server.
>
> This is a big misunderstanding of "secure", if you ask me.
>
> Or what do I miss? :-)

Neither build.opensuse.org nor api.opensuse.org ever get in touch with
the password, it is handled by the ichain proxy. This means even if some
evil person manages to infect the api/build source or the api/build
server gets hacked, no passwords can be sniffed/retrieved.

Andreas

> Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx