Add attribute for FEED_CRYPT_KEY #9
Comments
|
The official OpenSSL cookbook contains a |
|
Thanks for the heads up. I'm not sure getting the random string is particularly the hard part, though. I'm more concerned about existing installs and what will happen to them if I start creating keys by default, which just needs testing to see how tt-rss handles an existing authenticated feed with a empty FEED_CRYPT_KEY, once a new key is set. As much as I'd like to be secure by default, the first iteration of this is likely to be an empty sting in order to match the default that tt-rss ships. I should also note that I don't use authenticated feeds, so this is relatively low on my personal list... but I wanted the gap documented to hopefully solicit a patch from someone who does. |
TT-RSS is capable of encrypting (not hashing) passwords used to retrieve authenticated feeds. The default config file has this feature disabled with an empty encryption key. Consider adding an attribute for it.
Need to ponder how to set an initial random one, and what the implications are for an existing site if this value goes from empty-string to something. Does it trigger database encryption? Does it assume the database is already encrypted and break authenticated feeds?
The text was updated successfully, but these errors were encountered: