Implementation Security in Gallery?!
|
mlaia
Joined: 2002-11-01
Posts: 44 |
Posted: Wed, 2003-01-22 22:11
|
|
Hello People, Every day, one for one, I perceive that Gallery is excellent!!!! However, I have a masters degree project with very secret data. I would like to make available these pictures for my research group in the university to have access. But I am afraid of them be accessed for strange. If this happens, I will have serious damages. It is as if the Department of American North State was invaded and their secret data were distributed by the net. My question: Which is the level of safety of Gallery? I configured it for access only by way of login. Then, who is not authenticated by Gallery, doesn't see any album in the initial screen. Is this password cripto? How can I implement the safety in Gallery? Will I need turn it in a safe site, of the type SSL? Thank you very much and long life to Gallery Dev Team. Gallery: 1.3.3 |
|
Posts: 3474
Hello.
I would recommend you have some sort of authentication over an SSL connection if your data needs to be protected. Gallery will operate fine inside an SSL site.
However, the Gallery authentication process on its own is not to be considered secure. While passwords are *stored* in a secure manner (hashed paswords and password file is denied via Apache), the passwords are passed in to gallery in plain text over HTTP... so you'd need to be operating with an SSL connection in order for this to be encrypted, and better still if the certificates are stored locally so that no password ever gets transmitted in plain text.
Also, Gallery v.1.x leaves the images exposed to users in the albums directory. While you can prevent them from being served up by editing the album directory's .htaccess file, to be safe, you really ought to have your entire gallery and albums available only via the SSL connection. Gallery 2 will allow the images to be stored outside the web directory, which is far more secure.
If your site's security is really as crucial as "Department of American North State", then I recommend you consult/hire an expert in security and authentication to help you on your specific site. But to sum up, provided someone is logged in via an SSL connection, then it'll be reasonably safe to run your gallery.
-Beckett (
)
Posts: 8194
You might even want to protect Gallery with HTTP Authentication. Though it will be double (e.g. HTTP Auth AND Gallery authentication), it will make sure that only authenticated users will be able to access the albums directory (which has to be in the document root). Though it will be a hastle for users, it will be pretty fool-proof security, provided passwords are compromised and some Apache vulnerability with HTTP Auth isn't discovered . :roll:
Posts: 44
People,
Thank you for quickly repalys to my question.
Well, firstly I want to say that the comparison with Department of State of USA was, of course, a joke. In spite of my data they be extremely important, they don't to be enough so much!
After reading the answers, was I thinking if it would not be better, in my case, to install Gallery 2.x?
What do you think about that?
I would install it in an SSL system.
OK?
Marcelo
Posts: 3474
That's fine... though G2 is still in development... so you're going to have to wait a while before we have a "working" version available.
Posts: 44
OK.
I thought that it was possible to obtain a version beta of G2.
This is not possible?
Marcelo
Posts: 3474
Gallery isn't even at alpha stage, let alone beta. :wink:
But you can grab the code in its current state from the CVS server or from the nightly tarballs. But you shouldn't run a production site with it at this early stage.
Posts: 44
Well, I already downloaded G2.
I am reading the instructions.
Any tip?
Today, in the development stage in what meets G2, would you say that, in terms of security, is it better, worse or equal to the 1.3.3?
Marcelo