Subject: Developers of Sympa
List archive
Re: [sympa-developpers] Reusabe authentication keys
- From: IKEDA Soji <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-developpers] Reusabe authentication keys
- Date: Thu, 31 Mar 2016 18:49:14 +0900
All,
Done. Now AUTH command takes random hash key with 16 bytes in
length.
If 6.2.15 will be released in near days, I'll pause large changes.
Regards,
-- Soji
On Mon, 15 Feb 2016 19:08:56 +0900
IKEDA Soji <address@concealed> wrote:
> Hi developers,
>
> I realized that authentication key used by AUTH command is reusable.
> Because It depends only on target email and list name if any, and
> secret "cookie" parameter (See Sympa::compute_auth() to generate
> this key). To disable the key, administrator has no choice but
> changing "cookie" parameter.
>
> Remarkable case is global REMIND command. Once auth key is
> disclosed, any users will become able to send a command
> "AUTH <auth key> REMIND *" to distribute remind messages to all
> users.
>
> So I propose changing AUTH command to use one-time auth keys similar
> to which CONFIRM and DISTRIBUTE commands use, instead of persistent
> keys.
>
> Any objections or questions?
>
>
> Regards,
>
> -- Soji.
>
> --
> 株式会社 コンバージョン セキュリティ&OSSソリューション部 池田荘児
> 〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
> e-mail address@concealed TEL 03-6429-2880
> http://www.conversion.co.jp/
--
株式会社 コンバージョン セキュリティ&OSSソリューション部 池田荘児
〒140-0014 東京都品川区大井1-49-15 アクセス大井町ビル4F
e-mail address@concealed TEL 03-6429-2880
http://www.conversion.co.jp/
-
Re: [sympa-developpers] Reusabe authentication keys,
IKEDA Soji, 03/31/2016
- Re: [sympa-developpers] Reusabe authentication keys, David Verdin, 03/31/2016
Archive powered by MHonArc 2.6.19+.