[Sugar-devel] Schoolserver security

[Bernie Innocenti]

El Thu, 01-07-2010 a las 20:55 -0600, Daniel Drake escribió:
> Child connects to a network, perhaps just to go online outside of
> school. The network has an XS. The laptop registers. The journal is
> backed up to the server.

Ok, this is a serious security issue.

How about asking the user to confirm registration to an unknown server,
like ssh does? For slightly improved security, we could hash the ssh
fingerprint to a color pair, so the teacher could say "your schoolserver
is blue and red, don't register to any other".

Sadly, adding this UI requirement means that this feature won't be ready
n time for this release :-(


> I think the current XO-XS communication is secure enough in the places
> where it needs to be. But registration indeed is a big problem and it
> could do with a rethink which would probably involve some kind of
> key-based auth to achieve the best results in terms of user
> experience.

Well, communication being secure does not help much if the registration
step is fatally flawed.

Anyone passing nearby a school can make their computer register to the
schoolserver with any made up serial number, then steal all journals,
fill up the hard-drive with junk... probably even hijack the
schoolserver, as it's a Fedora 9 without security patches, running
plenty of scary webapps.

We could be plug both this hole and the auto-registration security issue
by making laptops receive their private ssh keys from the OATS server
and distribute the matching public keys to the schoolserver. The same
could be done with SSL client and server certificates.

Thanks to your earlier work and Inventario, Paraguay already has all the
infrastructure in place to do this, but it's kind of demanding for most
deployments, especially those without a centralized anti-theft server.

Can you think of a simpler scheme to perform mutual authentication.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/