Re: News page in the Wiki
Till Maas wrote:
With using the FAS credentials, that allow to produce major damage in the
wrong hands, within an application that is considered not very secure make my
security concerns grow a lot more. I know that they are already used for
OpenID and Mediawiki in Fedora, so there are a lot of attack vectors there,
but maybe RPMFusion could be more secure.
This is a fair concern - wordpress has a poor history. However, the
potential for an exploit being harmful would be minimal because WP would
never store the FAS password and a validated WP session has no control
over FAS. All authentication with FAS would be done over SSL: at no
point is the password sent over a non-encrypted connection and it is
never stored anywhere within wordpress or logged anywhere on the client
machine/within the session/on the wordpress server.
Additionally, even if an attacker can hijack a validated wordpress
session there would be no way they could use that hijacked session to
attack FAS since there is no two-way link between WP and FAS. So the
potential for any harmful exploit should be no greater (and potentially
less since the pw is never stored) than for the other third-party apps
that have already been integrated with FAS.
Of course, I will check all this out with the FAS developers and ensure
that they agree that it is as safe as possible.