launchpadsecurity

To ensure that launchpad.net is fairly 'secure tm' the following issues should be monitored and hopefully fixed. Rational: launchpad.net hosts code repositories, bug tracking(private bugs as well as public), ppa's and various other services. Some of these services are more 'critical' than others. If an attacker is able to compromise a user's ppa they may use it to compromise those using the ppa via back-doored packages.

  1. Launchpad session cookie should be hidden from Javascript https://bugs.launchpad.net/launchpad/+bug/96878

    1. use httponly cookie

  2. Launchpad requires the REFERER header on form submission breaking with noscript and other privacy/spam browser plugins https://bugs.launchpad.net/launchpad/+bug/560246

    1. use crsf token(s)

launchpadsecurity (last edited 2011-04-10 03:50:33 by d1b)