Re: HTTPS access to Bugzilla?



man, 2002-07-22 kl. 08:27 skrev Gregory Leblanc:
> <begin bad cop>
> 
> On Sun, 2002-07-21 at 14:46, Derek Atkins wrote:
> > Luis Villa <louie ximian com> writes:
> > 
> > > And this is information they can't get from simply querying bugzilla
> > > and/or using other vulnerabilities to get at your password how[1]?
> > 
> > That's not an attack that I'm worried about.
> 
> As Luis said, there aren't any other attacks that we care about against
> Bugzilla.  It IS insecure, and you should be using a valueless password
> for it.
> 
> > > You're being (IMHO) overly paranoid about something that just isn't that
> > > important.
> > 
> > I'm being worried about passive eavesdropping, not active attacks.
> > You may consider it paranoid, but every conference they put the
> > collection of acquired passwords on the large screen in front of
> > everybody.
> 
> Whoopie, so they've got your bugzilla password.  Sorry, but I fail to
> see this as a concern, certainly not ours.  If you've got some sort of a
> pattern to your passwords, and they can use that information to get some
> other password of yours, then I submit that you've got bigger security
> concerns than our bugzilla being insecure.
> 
> > I don't want to broadcast my password to anyone listening on the local
> > network.  I'm not worried about them going out of their way to break
> > Bugzilla to get my information; I'm worried about them reading it as
> > it travels across the local (shared) network.
> 
> There is essentially no confidential information in Bugzilla, so if
> somebody grabs all of the information that comes up when you load the
> webpage, they're only getting information that's publicly available.

Unless we think it is a problem that the users bugzilla privileges could
be misused to, say, close all bugs in a module - or do other funky stuff
that would take precious sysadmin time to clean up again. Not to forget
the flamefest we would have on some list before actually establishing
that someone misused another persons account.

> > > > I don't see how setting up https is much administrative overhead.  You
> > > > only need to set it up once then never touch it again.
> > > 
> > > Because setting it up once is > 0, which is about how much time the
> > > admins have.
> > 
> > As I said, I'm willing to help set it up.
> 
> Setting it up isn't the hard part.  We haven't got the spare horsepower
> to devote to SSL/TLS at the moment.  Securing bugzilla is a lot more
> demanding, and lower on my list of priorities than securing CVS, and
> that hasn't even gotten done yet.  Sorry, but for the time being,
> there's no HTTPS access to bugzilla.  If you're concerned that it will
> fall off of our list of things to do, feel free to file a bug against it
> in bugzilla.

One other potential problem with using SSL/TLS is the load it puts on
the servers. Does anyone have numbers on this? It would be bad if we
ended up with a system that is unusable but very secure :)

Cheers
Kjartan



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]