You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by kalevi tappinen <ka...@gmail.com> on 2014/08/13 07:54:04 UTC
How can I prove to client that OpenMeetings is enough secure?
Hello,
I'm interested in the OpenMeetings, but my client is not sure if the
OpenMeetings is enough secure.
How can I prove to client that OpenMeetings is enough secure?
Is the flash secure? How you have tested the security?
I have read the security section in the OpenMeetings site, but I need more
information to be sure.
BR,
Kalevi
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by kalevi tappinen <ka...@gmail.com>.
Hello,
One medium level alert, which I got from the ZAP tool is coming from
jsessionid parameter:
<server>/openmeetings/swf;jsessionid=64A4ABD7831031264DB769CA1CC828D6?0&invitationHash=dffbc5225fdc148a5a658a30d55cd559
Medium (Warning)
Session ID in URL rewrite
Description
URL rewrite is used to track user session ID. The session ID may be
disclosed in referer header. Besides, the session ID can be stored in
browser history or server logs.
This is maybe not easy to handle with the configuration of the Tomcat:
http://stackoverflow.com/questions/2276920/how-to-configure-tomcat-to-not-encode-the-session-id-into-the-url-when-httpservl
Do you have any comment on this?
BR,
Kalevi
2014-08-19 9:39 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
> Thanks a lot, will try this tool (as soon as I'll have some time)
>
>
> On 19 August 2014 13:31, kalevi tappinen <ka...@gmail.com>
> wrote:
>
>> Hello,
>>
>> I have tested the OpenMeetings with the OWASP ZAP tool and it is
>> generating quite much warnings, but not the critical ones.
>>
>> I have to analyze the results and if I find something, which should be
>> fixed, I will inform you.
>>
>> I recommend the OWASP ZAP tool. It is really easy to use. Just download
>> the product and then set proxy. Then browse the OpenMeetings and same time
>> the OWASP ZAP tool checks the communication.
>>
>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>>
>>
>> BR,
>>
>> Kalevi
>>
>>
>>
>> 2014-08-19 9:09 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>>
>>> Unfortunately no, we are trying to use all latest libraries (with all
>>> issues fixed), but have no resources to perform "heavy" security testing.
>>> We will be happy to get any help on this
>>>
>>>
>>> On 19 August 2014 12:58, kalevi tappinen <ka...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> Is it possible that someone can use some security hole in the
>>>> OpenMeetings and then have access to our server?
>>>>
>>>> Have you tested the security with the penetration tools etc?
>>>>
>>>> BR,
>>>>
>>>> Mika
>>>>
>>>> 2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS
>>>>> which are secure, all communications will be made via secured channels
>>>>>
>>>>>
>>>>> On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I send again my previous question. What you think about the
>>>>>> OpenMeetings security?
>>>>>>
>>>>>> BR,
>>>>>>
>>>>>> Kalevi
>>>>>>
>>>>>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>
>>>>>> :
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I'm interested in the OpenMeetings, but my client is not sure if the
>>>>>>> OpenMeetings is enough secure.
>>>>>>>
>>>>>>> How can I prove to client that OpenMeetings is enough secure?
>>>>>>>
>>>>>>> Is the flash secure? How you have tested the security?
>>>>>>>
>>>>>>> I have read the security section in the OpenMeetings site, but I
>>>>>>> need more information to be sure.
>>>>>>>
>>>>>>> BR,
>>>>>>>
>>>>>>> Kalevi
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> WBR
>>>>> Maxim aka solomax
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>
>>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by Maxim Solodovnik <so...@gmail.com>.
Thanks a lot, will try this tool (as soon as I'll have some time)
On 19 August 2014 13:31, kalevi tappinen <ka...@gmail.com> wrote:
> Hello,
>
> I have tested the OpenMeetings with the OWASP ZAP tool and it is
> generating quite much warnings, but not the critical ones.
>
> I have to analyze the results and if I find something, which should be
> fixed, I will inform you.
>
> I recommend the OWASP ZAP tool. It is really easy to use. Just download
> the product and then set proxy. Then browse the OpenMeetings and same time
> the OWASP ZAP tool checks the communication.
>
> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>
>
> BR,
>
> Kalevi
>
>
>
> 2014-08-19 9:09 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>
>> Unfortunately no, we are trying to use all latest libraries (with all
>> issues fixed), but have no resources to perform "heavy" security testing.
>> We will be happy to get any help on this
>>
>>
>> On 19 August 2014 12:58, kalevi tappinen <ka...@gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> Is it possible that someone can use some security hole in the
>>> OpenMeetings and then have access to our server?
>>>
>>> Have you tested the security with the penetration tools etc?
>>>
>>> BR,
>>>
>>> Mika
>>>
>>> 2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>>>
>>>> Hello,
>>>>
>>>> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS
>>>> which are secure, all communications will be made via secured channels
>>>>
>>>>
>>>> On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I send again my previous question. What you think about the
>>>>> OpenMeetings security?
>>>>>
>>>>> BR,
>>>>>
>>>>> Kalevi
>>>>>
>>>>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm interested in the OpenMeetings, but my client is not sure if the
>>>>>> OpenMeetings is enough secure.
>>>>>>
>>>>>> How can I prove to client that OpenMeetings is enough secure?
>>>>>>
>>>>>> Is the flash secure? How you have tested the security?
>>>>>>
>>>>>> I have read the security section in the OpenMeetings site, but I need
>>>>>> more information to be sure.
>>>>>>
>>>>>> BR,
>>>>>>
>>>>>> Kalevi
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> WBR
>>>> Maxim aka solomax
>>>>
>>>
>>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
--
WBR
Maxim aka solomax
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by kalevi tappinen <ka...@gmail.com>.
Hello,
I have tested the OpenMeetings with the OWASP ZAP tool and it is generating
quite much warnings, but not the critical ones.
I have to analyze the results and if I find something, which should be
fixed, I will inform you.
I recommend the OWASP ZAP tool. It is really easy to use. Just download the
product and then set proxy. Then browse the OpenMeetings and same time the
OWASP ZAP tool checks the communication.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
BR,
Kalevi
2014-08-19 9:09 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
> Unfortunately no, we are trying to use all latest libraries (with all
> issues fixed), but have no resources to perform "heavy" security testing.
> We will be happy to get any help on this
>
>
> On 19 August 2014 12:58, kalevi tappinen <ka...@gmail.com>
> wrote:
>
>> Hello,
>>
>> Is it possible that someone can use some security hole in the
>> OpenMeetings and then have access to our server?
>>
>> Have you tested the security with the penetration tools etc?
>>
>> BR,
>>
>> Mika
>>
>> 2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>>
>>> Hello,
>>>
>>> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS
>>> which are secure, all communications will be made via secured channels
>>>
>>>
>>> On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I send again my previous question. What you think about the
>>>> OpenMeetings security?
>>>>
>>>> BR,
>>>>
>>>> Kalevi
>>>>
>>>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm interested in the OpenMeetings, but my client is not sure if the
>>>>> OpenMeetings is enough secure.
>>>>>
>>>>> How can I prove to client that OpenMeetings is enough secure?
>>>>>
>>>>> Is the flash secure? How you have tested the security?
>>>>>
>>>>> I have read the security section in the OpenMeetings site, but I need
>>>>> more information to be sure.
>>>>>
>>>>> BR,
>>>>>
>>>>> Kalevi
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> WBR
>>> Maxim aka solomax
>>>
>>
>>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by Maxim Solodovnik <so...@gmail.com>.
Unfortunately no, we are trying to use all latest libraries (with all
issues fixed), but have no resources to perform "heavy" security testing.
We will be happy to get any help on this
On 19 August 2014 12:58, kalevi tappinen <ka...@gmail.com> wrote:
> Hello,
>
> Is it possible that someone can use some security hole in the OpenMeetings
> and then have access to our server?
>
> Have you tested the security with the penetration tools etc?
>
> BR,
>
> Mika
>
> 2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
>
>> Hello,
>>
>> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS which
>> are secure, all communications will be made via secured channels
>>
>>
>> On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I send again my previous question. What you think about the OpenMeetings
>>> security?
>>>
>>> BR,
>>>
>>> Kalevi
>>>
>>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
>>>
>>>> Hello,
>>>>
>>>> I'm interested in the OpenMeetings, but my client is not sure if the
>>>> OpenMeetings is enough secure.
>>>>
>>>> How can I prove to client that OpenMeetings is enough secure?
>>>>
>>>> Is the flash secure? How you have tested the security?
>>>>
>>>> I have read the security section in the OpenMeetings site, but I need
>>>> more information to be sure.
>>>>
>>>> BR,
>>>>
>>>> Kalevi
>>>>
>>>
>>>
>>
>>
>> --
>> WBR
>> Maxim aka solomax
>>
>
>
--
WBR
Maxim aka solomax
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by kalevi tappinen <ka...@gmail.com>.
Hello,
Is it possible that someone can use some security hole in the OpenMeetings
and then have access to our server?
Have you tested the security with the penetration tools etc?
BR,
Mika
2014-08-19 8:43 GMT+03:00 Maxim Solodovnik <so...@gmail.com>:
> Hello,
>
> you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS which
> are secure, all communications will be made via secured channels
>
>
> On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com>
> wrote:
>
>> Hello,
>>
>> I send again my previous question. What you think about the OpenMeetings
>> security?
>>
>> BR,
>>
>> Kalevi
>>
>> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
>>
>>> Hello,
>>>
>>> I'm interested in the OpenMeetings, but my client is not sure if the
>>> OpenMeetings is enough secure.
>>>
>>> How can I prove to client that OpenMeetings is enough secure?
>>>
>>> Is the flash secure? How you have tested the security?
>>>
>>> I have read the security section in the OpenMeetings site, but I need
>>> more information to be sure.
>>>
>>> BR,
>>>
>>> Kalevi
>>>
>>
>>
>
>
> --
> WBR
> Maxim aka solomax
>
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello,
you can set up OM (starting with 3.0.3) to use both HTTPS and RTMPS which
are secure, all communications will be made via secured channels
On 19 August 2014 12:36, kalevi tappinen <ka...@gmail.com> wrote:
> Hello,
>
> I send again my previous question. What you think about the OpenMeetings
> security?
>
> BR,
>
> Kalevi
>
> 2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
>
>> Hello,
>>
>> I'm interested in the OpenMeetings, but my client is not sure if the
>> OpenMeetings is enough secure.
>>
>> How can I prove to client that OpenMeetings is enough secure?
>>
>> Is the flash secure? How you have tested the security?
>>
>> I have read the security section in the OpenMeetings site, but I need
>> more information to be sure.
>>
>> BR,
>>
>> Kalevi
>>
>
>
--
WBR
Maxim aka solomax
Re: How can I prove to client that OpenMeetings is enough secure?
Posted by kalevi tappinen <ka...@gmail.com>.
Hello,
I send again my previous question. What you think about the OpenMeetings
security?
BR,
Kalevi
2014-08-13 8:54 GMT+03:00 kalevi tappinen <ka...@gmail.com>:
> Hello,
>
> I'm interested in the OpenMeetings, but my client is not sure if the
> OpenMeetings is enough secure.
>
> How can I prove to client that OpenMeetings is enough secure?
>
> Is the flash secure? How you have tested the security?
>
> I have read the security section in the OpenMeetings site, but I need more
> information to be sure.
>
> BR,
>
> Kalevi
>