[TYPO3-english] TYPO3.ORG hacked

[Marcus Krause]

Peter Russ schrieb:
> --- Original Nachricht ---
> Absender:   Dmitry Dulepov
> Datum:       16.11.2008 21:29:
> [...]
>> Firsts, OpenID is different, it has nothing to do with md5. It is
>> integrated to 4.3 and it is as secure as your DNS is secure and
>> OpenID provider is secure.
> 
> What's about all the DNS trouble this year?
> 
>>
>> Secondly, TYPO3 should stay compatible and it means offering non—md5
>> passwords for FE users by default. This is *not* insecure unless you
>> loose your BE password! md5 passwords will be not secure if they
>> fall into hacker's hands, it should be clearly understood. md5s are
>> breakable!
> 
> Sorry Dimitri, I didn't expect this answer:
> 1) Plain text in a plain unsecured transmission is UNSECURE -> Man in
> the middle ;-)

If you're expecting to get a victim of man-in-the-middle, there's no way
to get around SSL.

Whatever challenge/response method you are using to transfer credentials
or hashing/+salting methods to store passwords in the database, the
attacker won't make the effort to intercept authentication. Instead, he
would steal your cookie with a valid session identifier after you have
been logged in. With the session id and the assumption, that the m-i-t-m
attacker is in the same (IP-)network (config 'lockIP' would then be
useless), he would be able to access the typo3 BE with your identity.
That's the disadvantage of HTTP being stateless; you have to use session
ids transfered by Get, Post or Cookie to keep track of an user session.

So better use SSL asap!


The problem now is, that TYPO3 FE/BE user record passwords are either in
clear-text or md5 hashed. Hashing by md5 will not solve the problem on
the long run, although your passwords could be arbitrary complex.
Hash collisions will be computable in an acceptable time pretty soon.

We are currently working on an alternative to md5 to be used in TYPO3.


Marcus.