Currently the posts are filtered by: typo3
Reset this filter to see all posts.

Tell me your password

Posted in TYPO3/ on May 18, 2009 by Marcus.

Move credentials outside of the webroot

I've created a new tutorial that shows how to move credentials outside of the webroot. By default TYPO3 stores any kind of configuration into file typo3conf/localconf.php. Besides graphics configuration, etc... also database username/password and the encryption key is stored in there.

Although there's no way to get hold of this data as website user, I personal don't like the approach to store data that is intented to kept private inside the webroot.

The tutorial does explain the reasons in more detail. Have a look!

Permalink | Comments: 0
Tags: snippet, typo3
Views: 0

back

RSA Authentication for TYPO3 4.3

Posted in TYPO3/ on April 30, 2009 by Marcus.

Asymmetric Encryption for authentication - a major security improvement

Today, TYPO3 made a huge step forward in regards to security. Dmitry Dulepov has sent a patch (#11016) to the TYPO3 Core mailinglist that implements RSA authentication for TYPO3 Backend and Frontend.

RSA is a method of asymmetric encryption - something you might already know if you are using GnuPG or PGP. A key pair (public and private key) is created and then, a message can be encrypted using the public key. Only the owner of the private key is later able to decrypt  the message.

In case of TYPO3, TYPO3 itself will create a key pair for each login attempt. The public key is given to the client (your browser) which will use it to encrypt you password. So sniffing your traffic will not reveal the password and you are able to login to your TYPO3 installation in an unencrypted wireless LAN without having second thoughts on a possible compromise later.

TYPO3 will then decrypt the message with the private key so that the plain-text password is again available on TYPO3 side.

Having plain-text passwords available on TYPO3 side (not only hashed ones like currently) will enable the possibility to apply arbitrary complex transformations on (original) plain-text passwords before being stored into the database. You might even consider to encrypt your passwords in the database.

The next step and also planned to be shipped with TYPO3 4.3 are salted hashed passwords for FE and BE user accounts. An already existing extension (t3sec_saltedpw) will therefore be integrated in TYPO3 Core.

RSA authentication will replace the currently used superchallenge authentication method. However, if you are already using SSL to secure authentications for FE or BE ("normal login method"), there's no need to use RSA. 

Give TYPO3 4.3 a try; test and review the upcoming alpha3 release! You won't regret it.


Thanks to Dmitry for his efforts. "Inspiring people to share" at its best!

Permalink | Comments: 2
Tags: typo3, authentication, ,rsa, , encryption
Views: 0

back

Categories

  • advisory(7)
  • book(1)
  • [-]database(1)
  • exploit(1)
  • hacks(2)
  • others(5)
  • PHP(1)
  • TYPO3(22)

Tag cloud