Mailinglist Archive: opensuse-buildservice (351 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS Webclient Redesing
  • From: Dirk Stöcker <opensuse@xxxxxxxxxxxx>
  • Date: Fri, 25 Jul 2008 13:44:18 +0200 (CEST)
  • Message-id: <alpine.LNX.1.10.0807251340180.5536@xxxxxxxxxxxxxxxxx>
On Fri, 25 Jul 2008, Andreas Bauer wrote:

This is a big misunderstanding of "secure", if you ask me.

Or what do I miss? :-)

Neither build.opensuse.org nor api.opensuse.org ever get in touch with
the password, it is handled by the ichain proxy. This means even if some
evil person manages to infect the api/build source or the api/build
server gets hacked, no passwords can be sniffed/retrieved.

This assumes, that the user recognices, that the login-page is on an different system. I doubt that. I would recognice, because the automatic password entering of my system would not work, but I would not see this, when I type it by hand.

Making an login/password form on obs and let it point to the same target as the current login points to would not change the security in a measurable degree.

The servers involved would not see paswords as well. Only if webpages on the obs servers are hacked, the password fields could be used in a dangerous way and in this case a dangerous login redirector could do the same.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups