View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017382 | mantisbt | security | public | 2014-05-26 14:04 | 2015-04-04 12:12 |
Reporter | grangeway | Assigned To | grangeway | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0dev | ||||
Target Version | 1.3.0-beta.1 | Fixed in Version | 1.3.0-beta.1 | ||
Summary | 0017382: install.php: do not send the value of crypto_master_salt over http | ||||
Description | This is a change to the installer to avoid sending the value of the Crypto salt over http. For the majority of users, having the server generate a unique 32 byte string will be secure. By sending it to the browser in all cases, in one regard we actually add the potential to weaken it. People will care about this string in one of two ways: b) People will care what the value is - at which point, they are probably not going to send it to the webserver via a browser, and are likely to go onto the server and generate their own value and put it into the configuration manually (after installation). I suspect most people fall into the A category above, hence the change. What I have added, is such that users can get a good experience if the random number generator fails, is a warning message as part of the installation. Secondly, there is a seperate commit to improve offer an alternative random number generation which should improve the support for windows users. I suspect the need for displaying a text box has come about from windows users after the failed attempt to add a method for windows users using the Crypto CAPICOM COM object in windows ( https://github.com/mantisbt/mantisbt/commit/ab7dad32cd2e53124f1cc78cb62964861ee7c87f ) | ||||
Tags | No tags attached. | ||||