On 10/2/07, Chris Nighswonger <..hidden..> wrote:
I had this thought as well, but was not sure whether this was
considered part of deployment of LedgerSMB rather than coding and
therefore the responsibility of the installer/admin. In any case ssl
adds more security to the dataflow in general, whether or not it is
the solution in this case.
This is actually a good secondary question. Basically, nothing we do prevents LedgerSMB from being deployed in an insecure manner. Quite frankly, at the moment, the initial login would be vulnerable to evesdropping if you don't use SSL. While sending back the password on every request, the window of vulnerability is certainly higher, but I am not sure this translates into a significantly larger security risk (the only additional reqirement is waiting for someone to actually log in with the current system).
Having said this, I think we should be trying to be as secure as possible by default. I don't like the idea of blaming users for security issues, but as we move things out of our application, we are going to have to work with people more to help them be secure. For example, I don't think our setup scripts can affect SSL on the web server (because this is a global setting on all affected sites), nor should they be writing to the pg_hba.conf.