[TYPO3-v4] Enabling saltedpasswords and rsaauth by default
Helmut Hummel
helmut.hummel at typo3.org
Sun Jul 24 14:04:03 CEST 2011
Hi Xavier,
On 23.07.11 16:56, Xavier Perseguers wrote:
>> Do you think that enabling rsaauth/ saltedpasswords in an upgrade wizard
>> is a bad idea? If so, why?
>
> Well, I'd say you never know which extension is already installed and
> which part of it may do fancy stuff with direct database access and
> modification. You have a (slightly) risk to break an install if you
> activate it.
This is true for almost every change that happened especially for the
4.6 (--rebase) release and not only related to saltedpasswords/ rsaauth.
In fact, if you have extensions installed that work around the API and
"mess" with database entries directly, you could be in trouble with
every upgrade.
So what could happen if rsaauth is enabled during the upgrade wizard?
* The openssl component could be configured wrongly, thus RSA
encryption/ decryption would not work.
=> We need to have integrity checks for that, not only during an upgrade
wizard, but also during a new installation
* I got a report by twitter, that Chrome in some version cannot
correctly encrypt RSA in JavaScript
=> This is also a general problem, but until now there's no detailed
description of that in the bugtracker. Also this is not only a problem
when activating the extension during an upgrade wizard.
More? Please add it here.
What ould happen if saltedpasswords is enabled during upgrade wizard?
* Some weird extension could have stored password hashes in a different
format than md5 or any saltedpasswords compatible format.
=> This is something we cannot handle properly, but I also think we do
not need to do so.
More? Please add it here.
> Of course, this would be better from a security point of view...
I have less to code, if I do not need to write an upgrade wizard, but
I'm not sure if it really makes sense to not have it available.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list