[TYPO3-english] Salted Passwords & RSA: temp directory path

Philipp Gampe typo3.lists at philippgampe.info
Mon Mar 19 10:51:34 CET 2012 

Hi Christian,

Christian Lerrahn wrote:

> Hi Francois,
> On Tue, 13 Mar 2012 12:29:07 +0100
> François Suter <fsu-lists at cobweb.ch> wrote:
> 
>> > * is the RSA Extension really needed for increased security?
>> 
>> Yes, it's better than SSL.
> 
> Sorry to say but I have no clue why you suggest that rsaauth provides
> better security than SSL. There is several reasons I could cite why it
> doesn't.
> 
> 1. rsaauth only encrypts the login process. Your BE session is not
> encrypted as a whole as it would be with SSL.

That is right. But we were only talking about the login procedure.
 
> 2. rsaauth doesn't even encrypt the password when you change it in the
> backend.

What do you mean? That the change password dialog does not use rsaauth?
At least in the backend, the fields are rsaauth protected if you change the 
password via User Settings.
This protection is not in effect if you change the user record via List 
module or User Admin module.

> 3. rsaauth has no mechanism to resist man-in-the-middle (MITM) attacks.
> While hardly anyone might do that, it is possible to check the finger
> prints of SSL certificates before accepting them (against a reliable
> source). Even though SSL MITM might be easier to perform because of
> tools being available that do everything for you, it would be a
> reasonable simple challenge to write a MITM attack for rsaauth (all you
> need is to get in the middle and run a web server with the same kindof
> RSA implementation).

That is right, but this is conceptual. I never saw anyone checking 
fingerprints and as such I think this security is academically until 
browsers implement a first trust, report change for SSL fingerprints.

If you need such a high security standard, you should connect to your TYPO3 
instance via an VPN tunnel.

> 4. rsaauth happens without the user's knowledge. If you managed to
> disable it on a website as an attacker, the user most likely would not
> know that you did. Even relative internet noobs have learned that there
> is a difference between http and https, however (certainly not
> everyone though).

No, no internet noob knows what HTTPS is, except it is "secure". Most user 
would not notice if there backing website makes a redirect from HTTPS to 
HTTP.
And even faking another SSL for that website is pretty easy with todays 
tools.


> So, taking all these points into account, I would suggest that SSL is
> still more secure than rsaauth. I wish there was a STARTTLS standard
> for https, so we could just use SSL even on shared hosts and wouldn't
> have to live with makeshifts like rsaauth...

Of course, you are always advised to run your websites with HTTPS to protect 
the data transport.
However the only advantage of SSL/TLS over rsaath is, that it has 
fingerprints - which are not uses in todays applications.

Best regards
-- 
Philipp Gampe – PGP-Key 0AD96065 – TYPO3 UG Bonn/Köln – linkvalidator

More information about the TYPO3-english mailing list