[Zope] DISCUSS: Import from the web

Christopher G. Petrilli petrilli@amber.org
Fri, 26 Feb 1999 14:24:25 -0500 

On Fri, Feb 26, 1999 at 12:16:02PM -0500, Paul Everitt wrote:
> 
> "Can we make import-from-the-network have as acceptible a level of trust
> as the filesystem?"

There are three potential problems here, as I see it, or vectors for
assault....

	1. Malicious users creating bad pickles
	2. MIM attack that inserts garbage in
	3. Unauthorized use by sniffed password/etc

#1 I think is the smallest, honesty, because if it's true, you've got
other larger problems.  #2 is relatively uncommon, but can be
side-stepped with a precomputed checksum (MD5 signature) that is input
along with the filename/browse feature.

#3 is the hardest, and is also exposed to the whole "web admin" issue,
it's no better/worse because it's an import than going through an
messing it up manually.

> Here are some brainstorm ideas:
> 
> 1) Make the import a pull rather than a push.  Instead of pushing the
> data from your computer into a remote Zope, you go to the remote Zope
> and put in the URL to your local Zope.

No no, this is just too painful for words, breaks all kinds of security
things that people have in place for "diodes" in their network.  

> 2) Turn import from the web off by default but have a knob to turn it
> on.

This I like, make people conciously think about turning it on...
everyone has differnt security policies.  Provide the flexibility ot
provide features with a known risk.

> 3) Reading directly from a Zope as it outputs an export means you're
> less likely to get a hacked pickle.

well, yeah, but it's also a pain in the butt, and perhaps hsould wait
until replication itself is there, no?  Then you can use the replication
framework for this.

> 4) Have a shared key system, then rotor the export file (this is what we
> do on the unreleased Zope Network Client software).  That is, wrap the
> data in an envelope.

WEll, see above.   You really have to identify the vectors you're most
concerned with.  This system won't necessarily give you anything except
"privacy" unless you also provide some tamper-resistance through
hashing.

> Of course there is still the ultimate question: is this a compelling
> feature?

IT's a "MUST HAVE" for me... I do a ton of prototyping at home, and then
move it to a remote system as a big batch.  Works great, it's a bit
painful, but... much easier than before.

Chris
-- 
| Christopher Petrilli                      ``Television is bubble-gum for
| petrilli@amber.org                          the mind.''-Frank Lloyd Wright