View Issue Details

IDProjectCategoryView StatusLast Update
0017382mantisbtsecuritypublic2015-04-04 12:12
ReportergrangewayAssigned Tograngeway 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0dev 
Target Version1.3.0-beta.1Fixed in Version1.3.0-beta.1 
Summary0017382: install.php: do not send the value of crypto_master_salt over http
Description

This is a change to the installer to avoid sending the value of the Crypto salt over http.

For the majority of users, having the server generate a unique 32 byte string will be secure.

By sending it to the browser in all cases, in one regard we actually add the potential to weaken it.

People will care about this string in one of two ways:
a) they don't care what it is, just that it's set. At which point, letting the server generate it is fine. In the case that we can save the config_inc.php file, it never leaves the server, which is optimum behaviour in this case.

b) People will care what the value is - at which point, they are probably not going to send it to the webserver via a browser, and are likely to go onto the server and generate their own value and put it into the configuration manually (after installation).

I suspect most people fall into the A category above, hence the change.

What I have added, is such that users can get a good experience if the random number generator fails, is a warning message as part of the installation.

Secondly, there is a seperate commit to improve offer an alternative random number generation which should improve the support for windows users. I suspect the need for displaying a text box has come about from windows users after the failed attempt to add a method for windows users using the Crypto CAPICOM COM object in windows ( https://github.com/mantisbt/mantisbt/commit/ab7dad32cd2e53124f1cc78cb62964861ee7c87f )

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master e5876f00

2014-05-26 14:05:17

Paul Richards

Details Diff
Fix: 0017382: install.php: do not send the value of crypto_master_salt over http
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2014-05-26 14:04 grangeway New Issue
2014-05-28 18:41 grangeway Status new => assigned
2014-05-28 18:41 grangeway Assigned To => grangeway
2014-05-31 16:15 grangeway Changeset attached => MantisBT master f725b469
2014-05-31 16:15 grangeway Changeset removed MantisBT master f725b469 =>
2014-05-31 16:17 grangeway Changeset attached => MantisBT master e5876f00
2014-05-31 16:17 grangeway Status assigned => resolved
2014-05-31 16:17 grangeway Fixed in Version => 1.3.0-beta.1
2014-05-31 16:17 grangeway Resolution open => fixed
2014-05-31 19:12 atrol Product Version => 1.3.0dev
2014-05-31 19:12 atrol Target Version => 1.3.0-beta.1
2014-11-10 11:09 vboctor Fixed in Version 1.3.0-beta.1 =>
2014-12-08 02:08 atrol Status resolved => closed
2015-04-04 12:12 dregad Fixed in Version => 1.3.0-beta.1