Question

How easy is it to break the security built into TWiki (Username /password GUI screen). I would prefer to use that if it is secure enough, since it looks more visually pleasing and seamless. However - I will implement the password prompt using apache if it is much more secure.

Your thoughts are greatly appreciated.

Sincerely,
Brian Mahoney

Environment

-- BrianMahoney - 01 Aug 2007

Answer

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

TWiki's TemplateLogin is not proof against eavesdropping. Unless you are using HTTPS, whoever can read what's going over the network will be able to read user id and password. The situation does not improve at all if you are using Apache's "Basic" authentication (only that an eavesdropper would need to know how to decode Base64). So, if security policy doesn't allow this, either use HTTPS, or Apache's password prompt with Apache's Digest authentication.

And again, unless you are using HTTPS, changing passwords using TWiki forms will be vulnerable against eavesdropping regardless of which Apache authentication scheme you are using.

Under no circumstances you should use Apache's Basic authentication without HTTPS when you want to use a corporate LDAP directory as Apache's backend for "Single Sign On": A listener on the TWiki line would then obtain passwords for use with any other corporate service.

-- HaraldJoerg - 01 Aug 2007