[TYPO3-dev] Services architecture
Dmitry Dulepov
dmitry.dulepov at gmail.com
Thu Mar 24 09:29:53 CET 2011
Hi!
Christian Lerrahn (Cerebrum) wrote:
> Now, I was rather puzzled (and to be honest a bit shocked) when I found
> out that rsaauth calls the basic authentication services again instead
> of just exiting to pass the decrypted password down the chain.
You never know who is watching for the decrypted password. The safer way
was to call the basic auth from the rsaauth. In that case clear text
password only visible to those to whom it is necessary.
> This gets even worse when saltedpasswords duplicates rsaauth code to
> decrypt the password before it checks it against the stored password
> hash.
I never reviewed the code of that extension, so I cannot comment. Is it
really a duplicate or it is a call to rsaauth?
--
Dmitry Dulepov
TYPO3 core&security team member
E-mail: dmitry.dulepov at typo3.org
Web: http://dmitry-dulepov.com/
More information about the TYPO3-dev
mailing list