[Bb-trac] Re: [bbPress] #955: Installer does not automatically
create 'secret' keys for cookies
bbPress
bb-trac at lists.bbpress.org
Tue Sep 9 05:13:34 GMT 2008
#955: Installer does not automatically create 'secret' keys for cookies
----------------------------------------------+-----------------------------
Reporter: BjornW | Owner: sambauers
Type: defect | Status: assigned
Priority: normal | Milestone: 1.0-beta & XML-RPC
Component: Installation/Upgrade | Version: 1.0-alpha-1
Severity: major | Resolution:
Keywords: installer, cookies, empty values |
----------------------------------------------+-----------------------------
Changes (by sambauers):
* owner: => sambauers
* status: new => assigned
* milestone: => 1.0-beta & XML-RPC
Comment:
I disagree that a check for writability before would be more user-
friendly. On write failure the information given is comprehensive and
provides an alternative path to solving the problem as well as the full
text of the config file. A check before hand would just add an unnecessary
warning and option to continue. The current way avoids having to describe
how to make the directory writable (several variables there) or what that
means.
Empty values are not great for security, but I would be hard pressed to
call it insecure. It just halves the entropy of the cookie salt (the other
half is in the database).
What would actually be more insecure would be a bunch of auto generated
keys based on freely available code. Once the method of key generation
were public, it would increase the predictability of the keys to a brute
force attacker.
I'll add the default text instead of making it blank, that should at least
alert most users to the fact that they should be changed.
--
Ticket URL: <http://trac.bbpress.org/ticket/955#comment:1>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list