Mailinglist Archive: opensuse-buildservice (351 mails)

[Dirk Stöcker <opensuse@xxxxxxxxxxxx>]

On Fri, 25 Jul 2008, Andreas Bauer wrote:

> >  This is a big misunderstanding of "secure", if you ask me.
> >
> >  Or what do I miss? :-)
>
> Neither build.opensuse.org nor api.opensuse.org ever get in touch with
> the password, it is handled by the ichain proxy. This means even if some
> evil person manages to infect the api/build source or the api/build
> server gets hacked, no passwords can be sniffed/retrieved.

This assumes, that the user recognices, that the login-page is on an 
different system. I doubt that. I would recognice, because the automatic 
password entering of my system would not work, but I would not see this, 
when I type it by hand.

Making an login/password form on obs and let it point to the same target 
as the current login points to would not change the security in a 
measurable degree.

The servers involved would not see paswords as well. Only if webpages 
on the obs servers are hacked, the password fields could be used in a 
dangerous way and in this case a dangerous login redirector could do the 
same.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx