Tags:
create new tag
, view all tags
The recent to-ing and fro-ing over the security risk has highlighted an issue; if a downloader has not registered, they will not get security warnings. Even now, there will be people out there with no idea they are vulnerable.

I know it's shutting the stable door after the horse has bolted, but how about adding an %INCLUDE to the default BROADCASTMESSAGE that includes a tiny file from twiki.org (or preferably a fast site frown )? That tiny file would normally be empty, but could be used to communicate messages such as "You are highly recommended to apply patch XYZ to avoid security issues".

-- CrawfordCurrie - 18 Nov 2004

I have mixed feelings about this. We would reach many sites. We would reach all users of a site, not just the site administrator. It could be interpreted as a big brother thingy, or as a privacy issue. TWikiSecurityAlertProcess lists alternatives.

-- PeterThoeny - 21 Nov 2004

meanwhile, I have left 2 twiki installations behind at previous wprkplaces, where it is possible that there is no current twikiadmin. therefore, reaching all / any twiki users would at least give them a chance to fix the issue. otherwise, they're totally stuffed.

-- SvenDowideit - 21 Nov 2004

How about an entry in the WebLeftBar, ideally in orange/red, that says 'Security Alerts', pointing to TWikiSecurityAlerts? Putting up a broadcast message for a couple of days saying 'please check Security Alerts' would not be too intrusive IMO.

We should also try to get people to subscribe to a security alerts only email list - a one-time mailshot to administrators highlighting the latest alert and inviting them to this list would probably be useful. Most past users will have registered for downloads anyway.

As part of the new NoRegisterDownload, we should have a strong recommendation to join the low-volume security announcements list.

-- RichardDonkin - 21 Nov 2004

I agree with all of Richard's points.

-- MartinCleaver - 21 Nov 2004

I agree with Richard. Note that I even set up such a list for just the Koala Skin (I have 2 lists for it: one of general discussions, and one writable only by me for announces of new versions.

-- ColasNahaboo - 21 Nov 2004

as an admin who installed over dozen twikis, i like richard's idea for low-volume security anouncement list (one of the servers i co-admin was compromised through twiki search 10 days ago, announcement came too late to save it).

-- ToniPrug - 21 Nov 2004

I've now seen multiple statements that imply registering to download means you have received some warning. I've registered and downloaded multiple times since 2002, but received nothing. I only found out about this problem from SANS.

-- StevenLumos - 23 Nov 2004

OK, I finally made it to TWikiSecurityAlertProcess and see that I was confused.

-- StevenLumos - 23 Nov 2004

I don't think this is a good idea. As well as the target audiance (admins) it would also reach many many other users of TWiki sites. At best might be embarrassing for admins, could cause much wasted time dealing with queries from users, and could lead to disgruntled or malicious users being able to compromise the site before it can be patched.

-- SamHasler - 24 Nov 2004

Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2004-11-24 - SamHasler
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.