August 22, 2008

Security theater #1 – Using SSL for login | Heine

Heine from Drupal IRC was kind enough to explain the SSL issues that I mentioned here and here in much greater detail. Head to his blog for the full article. Thanks Heine!

Security spikes protect a gated community in t...Image via Wikipedia

A quite popular activity among Drupal site owners and extension developers (drupal, firefox) is to make sure certain page requests happen over a secure HTTPS connection, whereas the majority of request is still done over an unencrypted HTTP connection. User logins are typically the target of this effort.

Now, unless your really value your password (because you happen to be Ben Bernanke and use the same password for the documents holding the future interest rate), this is only going to give you a false sense of security. I know, it is still a very warm and comfy feeling, but it won’t be so comforting when some clown sees Mike Perry’s presentation and takes away your site.

Security theater #1 – Using SSL for login | Heine.

Related articles by Zemanta
Reblog this post [with Zemanta]

Are HTTPS Drupal sites insecure? Not anymore!

InformationWeekImage via Wikipedia

You might recall my previous article where I wrote:

Personally, I think it’s just spreading FUD; but Information Week is reporting that “Just over a week ago, security researcher Mike Perry presented information at the DEFCON security conference about a vulnerability that affects many SSL-secured Web sites, including Amazon, Facebook, Gmail, addons.mozilla.org, most Drupal sites, and many online merchants and banks. ”In the eyes of Robin Monks, Aug 2008

You should read the whole article if you havn’t already.  Back?  OK!  So, after a call for some dev comments on the issue (thanks to John Wilkins and Christefano for the heads-up!), I can safely say this issue is fixed in DRUPAL-6 branch, HEAD, and about to be fixed in DRUPAL-5.  So the fix will be in the next security release of Drupal 5 and 6, and also in Drupal 7.  Go go Drupal devs!

Other cool stuff:
Reblog this post [with Zemanta]
August 21, 2008

Is InformationWeek right? Are most all Drupal sites insecure?

yellow cloud of beautyImage by sophiea via Flickr

Personally, I think it’s just spreading FUD; but Information Week is reporting that “Just over a week ago, security researcher Mike Perry presented information at the DEFCON security conference about a vulnerability that affects many SSL-secured Web sites, including Amazon, Facebook, Gmail, addons.mozilla.org, most Drupal sites, and many online merchants and banks. ”

I have no idea why Drupal would be mentioned by name in this manner, especially if it’s a problem with cookies and the SSL protocol.

Are there any Drupal core devs who would like to comment on this security issue? I’d love the write a follow-up blog post with the full story!

Related articles by Zemanta
Reblog this post [with Zemanta]