Open Stack

On Wed, Sep 11, 2013 at 9:03 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>>     This adds the ability to specify a CA file that will be used to verify a
>>     HTTPS connections or insecure to specifically ignore HTTPS validation.
> CA file is good, especially if the organization is running its own PKI.
>
> I'm not sure about the other state: no CA means plain text everything.
>
> I'm wondering if a better choice would be to generate a self-signed on
> the fly to provide better than nothing security (BTNS).
>
> For those who insist on plain text connections, make them shoot
> themselves in the foot by altering a configuration file.
By the way, did this posting make anyone's radar?

Potential security flaw in network implementation at Digitalocean.com,
http://seclists.org/fulldisclosure/2013/Aug/53.

Opportunistic encryption would be a big help in cases where services
aren't quite configured as well as they could be. Digitalocean.com did
a great job of responding, but the next site to be misconfigured might
not be as responsive as Digitalocean.com.

> On Wed, Sep 11, 2013 at 10:07 PM,  <gerrit2 at review.openstack.org> wrote:
>>
>> Hi, I'd like you to take a look at this patch for potential
>> SecurityImpact.
>> https://review.openstack.org/34161
>>
>> Log:
>> commit 20e166fd8a943ee3f91ba362a47e9c14c7cc5f4c
>> Author: Jamie Lennox <jlennox at redhat.com>
>> Date:   Mon Aug 12 13:12:27 2013 +1000
>>
>>     Replace HttpConnection in auth_token with Requests
>>
>>     Requests is becoming the standard way of doing http communication, it
>>     also vastly simplifies adding other authentication mechanisms. Use it in
>>     the auth_token middleware.
>>
>>     This adds the ability to specify a CA file that will be used to verify a
>>     HTTPS connections or insecure to specifically ignore HTTPS validation.
>>
>>     SecurityImpact
>>     DocImpact
>>     Partial-Bug: #1188189
>>     Change-Id: Iae94329e7abd105bf95224d28f39f4b746b9eb70