Florian: do you plan to provide a patch? On Sun, Sep 9, 2012 at 5:45 PM, Chris McDonough <chr...@plope.com> wrote:
> On Sun, 2012-09-09 at 17:40 +0200, Domen Kožar wrote: > > According > > to > https://github.com/gavincarr/mod_auth_tkt/blob/master/conf/02_auth_tkt.confand > > http://linux.die.net/man/3/mod_auth_tkt, mod_auth_tkt supports SHA256 > > and SHA512 since version 2.1 > > > > > > Relevant: https://bitbucket.org/ianb/paste/changeset/7f90a96378ed\ > > > Cool. We should do something similar I guess. > > > > On Sun, Sep 9, 2012 at 4:56 PM, Chris McDonough <chr...@plope.com> > > wrote: > > On Sun, 2012-09-09 at 06:55 -0700, Florian Rüchel wrote: > > > I was getting interested in how Pyramid's authentication > > works and > > > looked through the commonly used AuthTktAuthenticationPolicy > > code. I > > > found out it uses MD5 and the only thing keeping the cookie > > from being > > > forged is the secret. > > > > > > I see two different issues here: > > > First, MD5 is already known to have weaknesses and it would > > be a good > > > idea to have different algorithms available so they can be > > set. This > > > shouldn't be very hard to implement (I can write a patch if > > you > > > desire) and it can improve the security of any site. > > > Second, since everything depends on the single secret, I > > think it > > > should be documented better (communicated on at least the > > docstring > > > and the documentation) that the secret has to be strong > > (long, random, > > > maybe state a minimum length). > > > > > > > > > It would be fine by me if we made it possible to change the > > hashing > > algorithm. But it probably needs to continue to support md5, > > because > > it's purpose is to be compatible with Apache mod_auth_tkt > > cookies. I > > would be happy to accept a patch that allowed folks to plug in > > a > > different hashing algorithm, and explain to them that if they > > do, it > > will no longer be compatible with those cookies. > > > > There are also existing options that can help make it stronger > > regardless of the hash, such as including the IP in the token, > > IIRC. > > > > - C > > > > > > -- > > You received this message because you are subscribed to the > > Google Groups "pylons-devel" group. > > > > To post to this group, send email to > > pylons-devel@googlegroups.com. > > To unsubscribe from this group, send email to pylons-devel > > +unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/pylons-devel?hl=en. > > > > > > > > > > > > -- > > You received this message because you are subscribed to the Google > > Groups "pylons-devel" group. > > To post to this group, send email to pylons-devel@googlegroups.com. > > To unsubscribe from this group, send email to pylons-devel > > +unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/pylons-devel?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-devel" group. > To post to this group, send email to pylons-devel@googlegroups.com. > To unsubscribe from this group, send email to > pylons-devel+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-devel?hl=en. > > -- You received this message because you are subscribed to the Google Groups "pylons-devel" group. To post to this group, send email to pylons-devel@googlegroups.com. To unsubscribe from this group, send email to pylons-devel+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/pylons-devel?hl=en.
