hi

someone ever thought about security related to this module and the www.drupal.org site? if i log into www.drupalcenter.de and this page gets my username and password, what is the same on drupal.org. In this case i POST the password for e.g. to www.drupalcenter.de and they grap/log/save my password in their logs on their server, transfer ist to drupal.org - get it authenticated, well another valid password. From now they have my password and can log into my drupal.org account, incredible.

In this example i forgotton the Whireshark hearing on the wire and transparent proxy servers. login to drupal.org is NON SSL... www.drupalcenter.de, too... however if drupal.org login will be secure with SSL (what should be in place, but isn't), the other sites don't care about and use NON SSL.

Passwords in plain text in the net... i'm little bit shocked. But the bad possitive - i can never be responsible for a posting done with such a insecure password.

Regards
Alex

Comments

hass’s picture

hass commented

and insecure between the servers...

$result = xmlrpc("http://$server/xmlrpc.php", 'drupal.login', $username, $password);
hass’s picture

hass commented
Priority: Normal » Critical

compromise a password is a critical issue. so status changed.

magico’s picture

magico commented
Version: 4.7.4 » 6.x-dev
Category: support » feature
Priority: Critical » Normal

Deserves a feature implementation to enable higher security.

AjK’s picture

AjK commented
Project: Drupal core » Site Network
Version: 6.x-dev »
Component: drupal.module » Code
Leeteq’s picture

Leeteq commented

FYI - issue: "challenge-response login"

Ref. my suggestion and others' concerns in the discussion in this issue:

"challenge-response login":
http://drupal.org/node/13240#comment-325295

brmassa’s picture

brmassa commented
Version: » 6.x-1.01
Priority: Normal » Critical

Guys,

im also worried about this. As i said on http://drupal.org/node/61738, i see two solutions:
* Only include the login and password on the server's site, something like OpenID
* Crypt the info while its being on internet.

Any ideas.

regards,

massa

AjK’s picture

AjK commented
Status: Active » Postponed

Patches to add the feature welcome. Please set status to "needs review" when you add one ;)

zzolo’s picture

zzolo commented

Since SSL is not really an option for a lot of people. A public/private key pair might be a good solution for encryption. http://en.wikipedia.org/wiki/Public-key_cryptography

This would prbobaly mean that the login "server" would have to generate keys. This would not have to be overly complicated to get good encryption.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented

Yes, it is insecure and use of the module is not suggested. It was removed from Drupal 6 and replaced with OpenID, which is much more secure, and makes absolutely more sense to use. I'd suggest you just use OpenID and do not enable this module. Drupal.org needs to support this functionality for some time to come but will get rid of this module sooner or later.

Ole Martin’s picture

Ole Martin commented

I test this module, and had trouble with it (http://drupal.org/node/376175, (yes I know, posted in the wrong place)), but after reading here it is best not to use it. But last time I tried Open Id, it does not work with Chaptha. Are there any changes? If not, how to avoid spam account?

hass’s picture

hass commented
Status: Postponed » Fixed

d.o seems to have a cert now.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.