semanticscuttle-devel

Re: [Semanticscuttle-devel] Functionality: Private RSS, rsscount, rss and page fixes

[<ss...@fn...>]

As suggested, I'm taking a discussion to the mailing list :>

> What I did not implement and will not implement:
> - private rss feeds by appending an extra parameter. Private rss feeds
> itself: yes, but not that parameter.
> Reason for this is, that by using http basic auth with
> http://user:pass@host/..., we have something that's well-known and working.
> Downside is that it can be sniffed when used over an insecure network
> connection.
>
As is now, I agree that both cookiehash and http auth for private rss
feeds are insecure. The reasoning behind allowing access to private feeds
via some sort of hash in the query parameter is compatibility with various
aggregators. Delicious does the same thing, however I don't believe that
it's hash is in any way related to the username or password. Ideally both
the hash and the cookie hashes would be randomly generated and stored,
however that would require a bit of editing to the core auth system
(adding a session table and a cleanup function). This may be a viable
temporary measure: md5sum the cookie hash (which is an md5sum of
user+pass). This hash would -only- grant access to one's private feed and
not one's entire account - unless there's something broken with
md5sum(md5sum(data)).

> > "The links displayed in bookmark listings no longer prepend url_redir "
> - I did not see that change in your patch. You can already disable that in
> the configuration options globally. Enabling it only for RSS feeds is not a
> sensible option in my eyes.
>
Actually what I did was edit bookmarks.php to not -display- url_redir. (a
href=URL_REDIR+URL)URL(/a) as opposed to (a
href=URL_REDIR+URL)URL_REDIR+URL(/a)

Re: [Semanticscuttle-devel] Functionality: Private RSS, rsscount, rss and page fixes

[Christian W. <cw...@cw...>]

Hello whateveryournameis,


> > What I did not implement and will not implement:
> > - private rss feeds by appending an extra parameter. Private rss
> > feeds itself: yes, but not that parameter.
> > Reason for this is, that by using http basic auth with
> > http://user:pass@host/..., we have something that's well-known and
> > working. Downside is that it can be sniffed when used over an
> > insecure network connection.
> >
> As is now, I agree that both cookiehash and http auth for private rss
> feeds are insecure. The reasoning behind allowing access to private
> feeds via some sort of hash in the query parameter is compatibility
> with various aggregators.
Yep, some aggregators do not support http basic auth, which is a shame.

> Delicious does the same thing, however I
> don't believe that it's hash is in any way related to the username or
> password. Ideally both the hash and the cookie hashes would be
> randomly generated and stored, however that would require a bit of
> editing to the core auth system (adding a session table and a cleanup
> function). This may be a viable temporary measure: md5sum the cookie
> hash (which is an md5sum of user+pass). This hash would -only- grant
> access to one's private feed and not one's entire account - unless
> there's something broken with md5sum(md5sum(data)).
We'd better have a completely separate type of login here that only
allows access to rss feeds and does not give you a valid session. I'll
see what I can do about that.


> > > "The links displayed in bookmark listings no longer prepend
> > > url_redir "
> > - I did not see that change in your patch. You can already disable
> > that in the configuration options globally. Enabling it only for
> > RSS feeds is not a sensible option in my eyes.
> >
> Actually what I did was edit bookmarks.php to not -display-
> url_redir. (a href=URL_REDIR+URL)URL(/a) as opposed to (a
> href=URL_REDIR+URL)URL_REDIR+URL(/a)
I saw the patch in #2934868 which is fine for me now that you explained
it :)


-- 
Regards/Mit freundlichen Grüßen
Christian Weiske

-= Geeking around in the name of science since 1982 =-