Forum OpenACS Q&A: Re: Password in ClearText

14: Re: Password in ClearText (response to 1)

Posted by Andrew S on 10/31/03 09:03 PM

Lars, that is good news about the login pages using SSL if it's available. I was wondering: when is the determination made about whether or not to use SSL? For example if SSL is incorrectly installed or is uninstalled, does openACS stop using it automatically, or is this something that is settable in the admin panel? (I'd hope the latter so that an error would be generated if SSL were not available.)

Jeff, that's right, OpenACS could use either Digest Authentication, or JavaScript for a home-brew implementation. Do the major browsers not support these?Possibly there could be issues with Digest and old versions of Netscape, since as I recall Netscape had some complaints with the protocol, but I think these were resolved years ago, e.g., 1999 or so. Really old versions of other browsers don't support it either since the protocl didn't exist. I am not sure why you think Digest-like hashing in JavaScript is a waste -- it would acomplish essentially the same thing as Digest. I do agree that having the option to use Digest in OpenACS would be nice.

Tom, Digest prevents simple replay attacks. It is susceptible to more sophisticated attacks but it's more secure than "Basic Authentication". And you are right that Digest doesn't solve the problem of how to establish the shared secret in the first place. But just because there are insecurities with this protocol doesn't make it useless -- it is generally a lot better than doing nothing!

15: Re: Password in ClearText (response to 14)

Posted by Tom Jackson on 10/31/03 09:31 PM

First off, I think you must totally misunderstand the way authentication and security are handled in OpenACS. Basic or digest authentication simply will not work with OpenACS. They don't use the same semantics as OpenACS authentication. So authentication to view a page is one issue, this is handled with a the OpenACS permission system. The other is security of the data passing over the network. We have that with ssl.

Is this your only issue with OpenACS, it seems like a non-obvious place to start?

16: Re: Password in ClearText (response to 15)

Posted by Jeff Davis on 10/31/03 10:54 PM

Tom, it's not at all clear to me why you couldn't use digest authentication on the page that grants the auth token. Maybe you could elaborate here on why that wouldn't work...

Andrew, I say javascript is a waste since most of the painful authentication experiences I have had have been with ecommerce sites who have "rolled their own" in javascript. Of course you can say "just get it right and everything works smoothly and if someone turns off javascript they just can't use the site" but I think given that ssl will just work and is in fact much more secure it's a waste to add something that will definitely lock some people out and provides only a moderate amount of security and especially a waste if we could make digest authentication work for granting auth tokens.

I do think we got the ssl side right (with the notion of secure and insecure tokens, an easy way to restrict parts of the site to ssl, and login using ssl by default assuming ssl is available). I think we should have a way to say "disable logins if ssl is unavailable" but I expect that would not be at all hard to add.

20: Re: Password in ClearText (response to 16)

Posted by Tom Jackson on 11/01/03 12:34 AM

Jeff, I guess the question is how would it work? First off, I didn't think AOLserver supported digest authentication. But maybe that isn't what is being talked about here.

I think I'd rather leave it to someone who thinks this is important to actually write up a working example. It seems pretty useless trying to convince someone who prefers MySQL over PG or Oracle to take my word for it anyway.

Andrew S, given all your other reservations about OpenACS listed in another thread, I would recommend looking elsewhere for your CMS solution. This one obviously isn't it. There are lots of products out there that meet your stated needs.

Advice is worth what you pay for it. So here is some: if you visit France, don't complain that they don't speak English. If you visit MIT, don't complain that there are a bunch of geeks hanging around and in your way. And if you don't like the length of your foot, get into therapy.