[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] 59/119: notes about security & authentication options
From: |
Eric Schulte |
Subject: |
[elpa] 59/119: notes about security & authentication options |
Date: |
Mon, 10 Mar 2014 16:57:25 +0000 |
eschulte pushed a commit to branch master
in repository elpa.
commit 7fa936880569db565683909edd4112fef87dec2c
Author: Eric Schulte <address@hidden>
Date: Thu Jan 2 23:27:28 2014 -0700
notes about security & authentication options
---
NOTES | 15 ++++++++++++++-
doc/web-server.texi | 7 ++++---
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/NOTES b/NOTES
index f87e76c..bc567d5 100644
--- a/NOTES
+++ b/NOTES
@@ -9,6 +9,17 @@ http://en.wikipedia.org/wiki/Basic_access_authentication
*** TODO Digest
http://en.wikipedia.org/wiki/Digest_access_authentication
+If this is implemented, it would be good to implement some safeguards
+against common attacks.
+
+#+begin_quote
+- Server nonce is allowed to contain timestamps. Therefore the server
+ may inspect nonce attributes submitted by clients, to prevent replay
+ attacks.
+- Server is also allowed to maintain a list of recently issued or used
+ server nonce values to prevent reuse.
+#+end_quote
+
** TODO documentation for running in a chroot jail
see https://wiki.archlinux.org/index.php/nginx#Installation_in_a_chroot
@@ -78,4 +89,6 @@ process text without something gross like the =(sit-for 0.1)=
used in
the test suite.
** TODO use gnutls for https
-I think this should work.
+This will be a pain, and will require expanding [[info:emacs-gnutls]] to
+add support for starting server processes, currently only client
+processes are supported.
diff --git a/doc/web-server.texi b/doc/web-server.texi
index 6821935..b93e4fa 100644
--- a/doc/web-server.texi
+++ b/doc/web-server.texi
@@ -43,7 +43,7 @@ A copy of the license is included in the section entitled
@menu
* Introduction:: Overview of the Emacs Web Server
* Handlers:: Handlers respond to HTTP requests
-* Requests:: Getting information on HTTP requests
+* Requests:: Getting information on HTTP requests
* Usage Examples:: Examples demonstrating usage
* Function Index:: List of Functions
@@ -246,8 +246,9 @@ is parsed into a list of the form @code{(PROTOCOL USERNAME
@noindent
Note: BASIC HTTP authentication passes user credentials in plain text
between the client and the server and should generally only be used
-with HTTPS network encryption. The Emacs web server currently doesn't
-support HTTPS network encryption.
+with HTTPS network encryption. While the Emacs web server currently
+doesn't support HTTPS network encryption it may be run behind an HTTPS
+proxy server (e.g., Apache) which does support HTTPS.
@verbatiminclude ../examples/6-basic-authentication.el
- [elpa] 49/119: small updates to README and NOTES, (continued)
- [elpa] 49/119: small updates to README and NOTES, Eric Schulte, 2014/03/10
- [elpa] 50/119: MAYBE incremental handler calls, Eric Schulte, 2014/03/10
- [elpa] 46/119: more documentation and examples, Eric Schulte, 2014/03/10
- [elpa] 51/119: renaming files, Eric Schulte, 2014/03/10
- [elpa] 53/119: added commentary, Eric Schulte, 2014/03/10
- [elpa] 55/119: update link in README, Eric Schulte, 2014/03/10
- [elpa] 54/119: doc tweaks, Eric Schulte, 2014/03/10
- [elpa] 45/119: new request object, Eric Schulte, 2014/03/10
- [elpa] 56/119: fix ports in examples, Eric Schulte, 2014/03/10
- [elpa] 58/119: note: shouldn't use BASIC authentication w/o HTTPS, Eric Schulte, 2014/03/10
- [elpa] 59/119: notes about security & authentication options,
Eric Schulte <=
- [elpa] 57/119: BASIC HTTP authentication, Eric Schulte, 2014/03/10
- [elpa] 61/119: fix deprecated file name in file example, Eric Schulte, 2014/03/10
- [elpa] 38/119: starting on documentation, Eric Schulte, 2014/03/10
- [elpa] 60/119: quick benchmarking, Eric Schulte, 2014/03/10
- [elpa] 52/119: changed prefix: ews -> ws, Eric Schulte, 2014/03/10
- [elpa] 63/119: autoload ws-start, Eric Schulte, 2014/03/10
- [elpa] 62/119: example serving Org-mode files exported on demand, Eric Schulte, 2014/03/10
- [elpa] 64/119: fix file header, Eric Schulte, 2014/03/10
- [elpa] 65/119: handle POST file uploads w/example, Eric Schulte, 2014/03/10
- [elpa] 66/119: notes, Eric Schulte, 2014/03/10