You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@manifoldcf.apache.org by "Erlend Garåsen (JIRA)" <ji...@apache.org> on 2012/08/09 13:00:18 UTC

[jira] [Commented] (CONNECTORS-486) Optionally export crawler configuration without passwords

    [ https://issues.apache.org/jira/browse/CONNECTORS-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13431734#comment-13431734 ] 

Erlend Garåsen commented on CONNECTORS-486:
-------------------------------------------

I suggest that we encrypt the files using AES. DES is not considered to be sufficient safe enough. The only thing I'm not sure about is whether the U.S. Export Restrictions hamper this approach. As far as I know, there are some restrictions in China and Russia about strong encryption in software. When it comes to open source software, my knowledge is weak.

In order to have a sufficient safe encryption, we should also generate random keys and store them in the database. I think we should avoid using a static key for encryption since this approach will be vulnerable for abuse.

Of course, this makes the implementation a little bit more complex. It could be implemented in the following way:
1. Keys are generated and stored in PG when running org.apache.manifoldcf.agents.Install
2. This key will be used for encryption and decryption of the exporting and importing tools respectively

Any comments?
                
> Optionally export crawler configuration without passwords
> ---------------------------------------------------------
>
>                 Key: CONNECTORS-486
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-486
>             Project: ManifoldCF
>          Issue Type: Improvement
>          Components: Framework agents process
>            Reporter: Erlend Garåsen
>            Assignee: Erlend Garåsen
>            Priority: Minor
>             Fix For: ManifoldCF 0.7
>
>
> The "org.apache.manifoldcf.crawler.ExportConfiguration" command class is exporting passwords, for instance to the configured Solr server (Solr Output Connector). This may be a security problem if the export file is version-controlled or placed on a public server.
> We should add an extra "no password" argument to the command class in order to skip such passwords.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira