fedora hosted, sharding and openid
Till Maas
opensource at till.name
Wed Feb 13 21:58:47 UTC 2013
On Wed, Feb 13, 2013 at 01:52:15AM -0500, Seth Vidal wrote:
> For the rest we make them non-ssl'd. The openid login, of course
> would be ssl'd, but the rest of the site doesn't really need to be,
> does it?
I guess if fedorahosted is not used via HTTPS, attackers could easily
make users not use HTTPS for the openid login by tampering the response
from fedorahosted. Also there is probably a session cookie involved that
is validated via openid, this could still be used by attackers to access
fedorahosted with the privileges of the original user.
Regards
Till
More information about the infrastructure
mailing list