[Seaside-dev] Re: Seaside Security

Philippe Marschall philippe.marschall at gmail.com
Tue Feb 11 08:39:38 UTC 2014 

On Mon, Feb 10, 2014 at 7:47 PM, Paul DeBruicker <pdebruic at gmail.com> wrote:
> Hi Phillipe,
>
> Thanks for starting this discussion.
>
> It seems reasonable to me that if you're proxying from a webserver to
> seaside then the webserver could/should take care of the HSTS header

In a way yes. The whole SSL configuration needs to be done on the
frontend webserver so you may as well do STS there. OTOH when the
frontend webserver modifies the the response that's always a bit
intransparent magic.

> and terminate the SSL connections.

Yes

> Moving that work to Squeak/Pharo when
> unnecessary seems sub optimal.

We're just talking about adding another HTTP header.

> […,]
> On windows the urandom equivalent is:
> https://en.wikipedia.org/wiki/CryptGenRandom (I've never used it for
> anything)

My understanding is it's the equivalent of /dev/random, not
/dev/urandaom. It's my understanding that /dev/random is preferable
for seeds. But I don't know enough about FFI to know how I should call
this function.

> I think it would be nice to not require FFI, OSProcess, or access SqueakSSL
> but use them if available and performance is sufficient.   I know the
> SqueakSSL plugin is included with Eliot's and the pharo vm now.

I'm fine with anything that does not require installing additional plugins.

> Maybe it'd
> be simplest to add the ability to access random bytes from OpenSSL to the
> SqueakSSL plugin.

AFAIK we'd have to extends the OpenSSL plugin and wait for VM builds.

> For a pure in image solution it sounds like what you would like is a
> refactoring of the Cryptography package into subprojects then integrating
> the PRNG's into Seaside.  I don't know what that would take.  There was a
> discussion on the Crypto mailing list from November about the RNGs and
> splitting the big package both of which appear partially finished in some
> way:

The size of the package is merely a "cosmetic" flaw. My biggest issue
is that the RNGs aren't usable out of the box and you have to come up
with a seed yourself (at least that's my understanding).

Cheers
Philippe

More information about the seaside-dev mailing list