[elpa] 59/119: notes about security & authentication options

Mon, 10 Mar 2014 09:57:45 -0700 

eschulte pushed a commit to branch master
in repository elpa.

commit 7fa936880569db565683909edd4112fef87dec2c
Author: Eric Schulte <schulte.e...@gmail.com>
Date:   Thu Jan 2 23:27:28 2014 -0700

    notes about security & authentication options
---
 NOTES               |   15 ++++++++++++++-
 doc/web-server.texi |    7 ++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/NOTES b/NOTES
index f87e76c..bc567d5 100644
--- a/NOTES
+++ b/NOTES
@@ -9,6 +9,17 @@ http://en.wikipedia.org/wiki/Basic_access_authentication
 *** TODO Digest
 http://en.wikipedia.org/wiki/Digest_access_authentication
 
+If this is implemented, it would be good to implement some safeguards
+against common attacks.
+
+#+begin_quote
+- Server nonce is allowed to contain timestamps. Therefore the server
+  may inspect nonce attributes submitted by clients, to prevent replay
+  attacks.
+- Server is also allowed to maintain a list of recently issued or used
+  server nonce values to prevent reuse.
+#+end_quote
+
 ** TODO documentation for running in a chroot jail
 see https://wiki.archlinux.org/index.php/nginx#Installation_in_a_chroot
 
@@ -78,4 +89,6 @@ process text without something gross like the =(sit-for 0.1)= 
used in
 the test suite.
 
 ** TODO use gnutls for https
-I think this should work.
+This will be a pain, and will require expanding [[info:emacs-gnutls]] to
+add support for starting server processes, currently only client
+processes are supported.
diff --git a/doc/web-server.texi b/doc/web-server.texi
index 6821935..b93e4fa 100644
--- a/doc/web-server.texi
+++ b/doc/web-server.texi
@@ -43,7 +43,7 @@ A copy of the license is included in the section entitled
 @menu
 * Introduction::                Overview of the Emacs Web Server
 * Handlers::                    Handlers respond to HTTP requests
-* Requests::                     Getting information on HTTP requests
+* Requests::                    Getting information on HTTP requests
 * Usage Examples::              Examples demonstrating usage
 * Function Index::              List of Functions
 
@@ -246,8 +246,9 @@ is parsed into a list of the form @code{(PROTOCOL USERNAME
 @noindent
 Note: BASIC HTTP authentication passes user credentials in plain text
 between the client and the server and should generally only be used
-with HTTPS network encryption.  The Emacs web server currently doesn't
-support HTTPS network encryption.
+with HTTPS network encryption.  While the Emacs web server currently
+doesn't support HTTPS network encryption it may be run behind an HTTPS
+proxy server (e.g., Apache) which does support HTTPS.
 
 @verbatiminclude ../examples/6-basic-authentication.el

Reply via email to