[Owncloud] Re: Questions regarding the implementation of the SyncML feature for syncing PIM data

kunal ghosh kunal.t2 at gmail.com
Mon Jul 11 02:20:16 UTC 2011 

>
>    - The last part is about security-authenticating issues
>       - What credentials should be used for the SyncML server
>       authentication? The same as for the owncloud authentication? We should allow
>       the user to make as many accounts as he wants?
>
> phpsyncML 's authentication mechanism is yet to be integrated with
owncloud's. But we should go with a single authentication mechanism.

>
>    - PHPSyncML server doesn't support MD5, so, by now, all the passwords
>       are transmitted in plain text. You can see them with wireshark. I'm sure
>       that the passwords are stored encrypted in the owncloud database. So, a
>       couple of solutions come to my mind. (I know that MD5 is no longer secure,
>       but it's still a standard, and at least is something...)
>       - Implement the feature of handling MD5 passwords by the PHPSyncML
>          server somehow
>
> Can be easily done :)
1. Get the username and password encrypted using MD5 from the client.
2. Compare it to the encrypted username and password in owncloud.


>
>    - As far as I know, if the connection itself is encrypted (HTTPS), it
>          should not matter if the passwords are transmitted in plain text. The main
>          drawback of this solution is that the owncloud server MUST have enabled the
>          HTTPS feature to use SyncML feature, and having HTTPS enabled it's not so
>          trivial. (I mean, maybe some of the standard hosting services doesn't
>          support it, I don't know)
>
> Well, for authentication . encrypting the authentication phrases should be
sufficient.
But for data security HTTPS is the way to go. We could (before HTTPS is
implemented) encrypt the data at the client side
easy using the funambol SDK. and decrypt the data in phpsyncML.

Kunal, you're working also with SyncML, how do you plan to manage that
> security issues?
>

as explained above.

-- 
regards,

Kunal Ghosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20110711/306e65f4/attachment.html>

More information about the Owncloud mailing list