Hide Forgot
The transport layer uses messages encoded with Storable. Storable is not secure across trust boundaries, see the warning that upstream added in Version 2.45. We should at least add a strong warning that PlRPC is equally unsafe. In addition, the instructions are overly optimistic. We don't seem to ship any really strong ciphers, and the API of the Crypt:: modules is not really a good match for authenticated encryption modes. (Unauthenticated tend to be vulnerable to all kinds of attacks.) There appears to be zero reply protection. Additionally, compression is enabled unconditionally, which can reveal message contents, especially in conjunction with chosen-ciphertext attacks.
Created attachment 825551 [details] Proposed documentation fix This has been posted to the upstream for a review.
(In reply to Petr Pisar from comment #4) > Created attachment 825551 [details] > Proposed documentation fix > > This has been posted to the upstream for a review. It seems that Storable deserialization is exposed prior to password-based authentication (see how AcceptUser is called in the server code). I think the warning should mention that. It's probably best to replace the entire "SECURITY" section with a clear warning that you absolutely have to use an external authentication mechanism.
You are right. However the decryption is done before deserialization. So I guess if somebody wants to use a password for authentication, he will use encryption too. And that turns into two-step authentication as drafted in the SECURITY/Protection against untrusted users/Encryption paragraph: I recommend two phase encryption: The first phase is the login phase, where to use a host based key. As soon as the user has authorized, you should switch to a user based key. See the DBI::ProxyServer for an example. I will improve the text.
Created attachment 825588 [details] Proposed documentation fix 2 Updated documentation.
Created attachment 825589 [details] Proposed documentation fix 2 Correct README conversion.
Created attachment 829254 [details] Proposed documentation fix 2 I attached wrong patch. This one is correct.
Adding security keywords since this, or part of it anyways, has received a CVE.