Created a security overview page as a quick guide to Trac users.

[Imported from Trac: page TracSecurityOverview, version 1]

TracSecurityOverview.md

@@ -0,0 +1,28 @@
+# Trac Security Overview
+
+This is just a quick'n'dirty document to help users make informed decisions about the Trac.
+
+
+## Recommendations
+
+  * Don't use a password which you use elsewhere.  (See: Twitter incident)  [Find ref.]FIXME:
+  * Don't expect the ticket database to be non-corrupt or reliable or persistent.
+    * Backup the ticket database and wiki pages regularly!  Use snapshots so corruption does not overwrite correct data. 
+
+
+## Vulnerabilities
+
+  * HTTP without SSL means a passive attacker can see all your traffic (except password on login, see below).
+  * HTTP without SSL means an active attacker can do anything at all with your account privileges.
+  * Password reset over HTTP means the attacker knows your password with minimal effort.
+  * HTTP Auth uses Digest mechanism, which means (if implemented correctly):
+    * Attacker cannot learn your password during a login request.
+    * The database must store your plaintext password (in order to compute the correct digest).  [verify.]FIXME:
+      * Anyone with file system read access to the machine also has all passwords.
+
+
+## To Do
+
+  * Search for existing Trac security references.
+  * Verify that plaintext passwords are stored.
+  * Find Twitter incident ref (the short story is that there were no technical security flaws, but users used the same creds on an "unimportant" service as well as a different critical service, so the attacker could escalate the attack across services.)