Bug / Feature #149
closed
Added by spale over 13 years ago.
Updated over 11 years ago.
Start date:
20 September 2010
Description
After generating a certificate, with passphrase, I was able to load by certificates into another setup without giving my passphrase. It seems pretty sure that the saved certificates are not encrypted with the passphrase. I have put the highest priority to this issue because its a security issue.
- Status changed from New to 6
- Assignee set to Exception
Importing the encrypted key does not require the passphrase as it is not decrypted when importing.
Using the private key of course requires the passphrase. But you could not have used it up to this time as there is no voting procedure yet.
I was not sure about it but somehow expected this answer. You could set one or more test votes for the next 30 days, so people can play a little bit.
The best would be a test mode in the client that's using another backend system. Something like:
- test backend including all valid certs/signatures
- auto open/close of 2-3 votes everyday
- test mode implementation in the client
Should I open a feature request?
- Category set to Security
- Target version set to PiVote 1.0.1.0
Also available in: Atom
PDF