As part of the Zanata 4.4 upgrade, we will cease support for OpenID login on translate.zanata.org
Our recent analysis has shown that some OpenID providers return HTTP-based OpenID identities, even when the login is initiated via HTTPS. This introduces an element of risk to OpenID authentication and also forces the use of looser firewall rules. For the security of the service, we have decided to discontinue OpenID support. Local username/password authentication is still supported.
Your username, profile and contributions will not be affected. To switch to local authentication from your existing OpenID login, please use “Forgot your password?” on the login screen to reset the password. A password reset mail will be sent to the email address you registered.
The command line client and Zanata Jenkins plugin will continue to work without modification.
Should you have any questions, please post to our mailing list: zanata-users@redhat.com.
Regards,
Le 23 mai 2018 04:19:17 GMT+02:00, Ding Yi Chen dchen@redhat.com a écrit :
As part of the Zanata 4.4 upgrade, we will cease support for OpenID login on translate.zanata.org
Isn't openid what we use to connect with our Fedora accounts? Isn't destroying bridges like building new walls? Sad to see that
I agreed. Unfortunately, due to the security reason mentioned, this is in the best interest for users in Zanata and our commitment for data security.
The change will not affect *fedora.zanata.org http://fedora.zanata.org*, it is only for *translate.zanata.org http://translate.zanata.org. *
Users can easily migrate to the supported login by using “Forgot your password?” on the login screen to reset the password. A password reset mail will be sent to the email address you registered. The change will not have any impact on any existing data or work that is done in Zanata.
On Wed, May 23, 2018 at 3:40 PM, Jean-Baptiste jean-baptiste@holcroft.fr wrote:
Le 23 mai 2018 04:19:17 GMT+02:00, Ding Yi Chen dchen@redhat.com a écrit :
As part of the Zanata 4.4 upgrade, we will cease support for OpenID login on translate.zanata.org
Isn't openid what we use to connect with our Fedora accounts? Isn't destroying bridges like building new walls? Sad to see that -- Jean-Baptiste Holcroft _______________________________________________ i18n mailing list -- i18n@lists.fedoraproject.org To unsubscribe send an email to i18n-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/i18n@lists. fedoraproject.org/message/MIT7XFPAP322ZH33L5J7TRU6FJP3L3YO/
On Tue, May 22, 2018 at 10:19:17PM -0400, Ding Yi Chen wrote:
Our recent analysis has shown that some OpenID providers return HTTP-based OpenID identities, even when the login is initiated via HTTPS. This introduces an element of risk to OpenID authentication and also forces the use of looser firewall rules. For the security of the service, we have decided to discontinue OpenID support. Local username/password authentication is still supported.
I don't think Fedora's OpenID login has this flaw. Would it be possible to allow OpenID login for white-listed providers which are known to be well-behaved?
On Fri, May 25, 2018 at 11:24:08AM +1000, Alex Eng wrote:
I don't think Fedora's OpenID login has this flaw. Would it be possible to allow OpenID login for white-listed providers which are known to be well-behaved?
Unfortunately, Fedora's OpenID returns HTTP even when the request is with HTTPS.
Does it? Let me check with the infrastructure team about getting that fixed.
Our identity URLs are indeed sent as http, which is because before when OpenID was introduced into Fedora many, many moons ago (before my time), it was done so without HTTPS for identity URLs, and changing this afterward would break every account assignment at every remote site, which would leave many users very confused and annoyed.
Note that these identity URLs are only requested once in the protocol, and only by the Relying Party (Zanata), which means that the only possible attack would be a man in the middle between the Zanata servers and Fedora's network for the discovery. The OpenID endpoint, which sends all data including the signatures, is always served over HTTPS, just like the second discovery step.
Do note that we *also* provide all identity URLs over HTTPS, e.g. https://puiterwijk.id.fedoraproject.org/. If the Zanata team is willing to update all account assignments on your end, I can make us serve https identity urls to you. Alternatively, you can just rewrite the http identity url to https on your end when verifying, and that would work without any changes on our end, since all the certificates are in place to serve them.
Feel free to let me know which you prefer.