Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Secure Perlmonks

by Mirage (Sexton)
on Jul 09, 2003 at 13:36 UTC ( [id://272674]=monkdiscuss: print w/replies, xml ) Need Help??

Fellow Monks,
concerning the question of security, I noticed that perlmonks unfortunately is insecure by sending passwords in cleartext at login time. Therefore, I can't login to perlmonks using any shared internet connection if I don't want to share my perlmonks account, too. I don't think that it would be a bad thing to have https enabled perlmonks for those paranoid people like me.
Please tell me your opinion, especially about practical possibility.

Mirage

Replies are listed 'Best First'.
Re: Secure Perlmonks
by chromatic (Archbishop) on Jul 09, 2003 at 14:18 UTC

    Would you feel more comfortable with Digest authentication? I realize it's not as secure as 128-bit SSL, but it's better than cookies or Basic authentication.

      Would you feel more comfortable with Digest authentication? I realize it's not as secure as 128-bit SSL, but it's better than cookies or Basic authentication.

      Correct me if my information is out-of-date, but when last I looked (a year or so ago), support for Digest authentication was missing from most browsers. Which browsers support it now?

      Yes.

      MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
      I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
      ** The third rule of perl club is a statement of fact: pod is sexy.

Re: Secure Perlmonks
by barrd (Canon) on Jul 09, 2003 at 13:45 UTC
    Hi Mirage,

    Getting a SSL certificate costs money, this site is generously donated by several people & companies. If you're that paranoid please go to the donations page and contribute.

    Its not like this site is storing credit card numbers or anything?

    No offence meant - peace.
    /me ~ barrd

        Yes, you can self-sign your own certificates and that will do well enough for encryption, but most browsers will not accept it for authentication. That means users will get confusing errors popping up every time the go to log on until they configure their browser to trust the certificate. That kind of stuff scares away users.

Re: Secure Perlmonks
by MrCromeDome (Deacon) on Jul 09, 2003 at 15:25 UTC
    FYI, we've already been over this at some length in this node.

    Cheers!
    MrCromeDome

Re: Secure Perlmonks
by pzbagel (Chaplain) on Jul 09, 2003 at 20:10 UTC

    Simple. Just set up a system somewhere (on your broadband connection at home, in a colo, anywhere you can reach it from the internet at large). Run openssh (Secure Shell) on it. Run a squid proxy configured to only allow loopback connections. Now ssh to the box, forward local port 8080(or whatever) to 127.0.0.1:<sqiudport> on the remote host. Now configure your browser's proxy settings to point to 127.0.0.1:8080(or whatever you chose as the local port) and surf away. All your connections will be encrypted via SSH until they reach the remote machine at which point the squid proxy will go out and retrieve the web pages for you. No prying eyes on the LAN you are on will be able to see what you are doing, unless they look at your monitor. This also gets around most URL filtering for when you are doing <ahem> research...

    Or you can just relax and go with the flow...

    Later

      Well, I just wondered the scenario to which such concern is caused? For one, Perl Monks generates a random password for you, so its not like you're using a password from somewhere else, for two, there's not a whole lot of information that they keep on you.

      If someone is taking the time to sniff packets on your network, then you have likely got a lot more to worry about then just your perlmonks password. I'm a security professional, and I'm extremely paranoid about these sort of things, but I find no real cause for concern here.

      Also you should consider what kind of network you are on. Say you are at work, well then its likely you're on a switched network. If that's the case you have little to worry about unless you are worried that perlmonks.org is sniffing your passwords, since only the target machine would be able to catch the packets... that is of course unless you have someone on your switched network that knows how to do ARP poisoning, but that takes a level of expertise and patience.

      If you are worried about hackers on your network, and you are worried about someone doing ARP poisoning to sniff your packets, well, you should be much more worried that the person may have already hacked your machine and created a back door account! Cheers
        If someone is taking the time to sniff packets on your network, then you have likely got a lot more to worry about then just your perlmonks password.
        the time is just a simple dsniff that runs in the background.

        Also you should consider what kind of network you are on. Say you are at work, well then its likely you're on a switched network
        switched networks are no real match, as you can fake packets that will confuse the switch, so you can get all the packages you want. I think especially as a security expert you shouldn't feel all safe because its may seem hard it do - as long as it is possible there is the danger.

        By the way, hackers are not people who enter into machines and try to harm others.
        see here

Re: Secure Perlmonks
by zentara (Archbishop) on Jul 09, 2003 at 14:49 UTC
    Perlmonks is already slow enough. Running ssl would just drag it down another notch. Just be an "anonymous monk" from shared connections. With all the scanners going out there, you can be sure that some government agency already has your password, so who are you trying to hide it from?

      And who cares - really? So someone else can impersonate me. Big Whoop. PerlMonks isn't the sort of place where impersonation has (the majority of the time) real consequences. If the rat bastard did something naughty, you'd come back, assert your innocense and we'd all understand.

      Your paranoia with regard to your PM username is unfounded.

        Your paranoia with regard to your PM username is unfounded.

        You know the saying... "just because you're paranoid doesn't mean they're not out to get you."

        I rather think that being paranoid about computer security is generally a good thing. It's a question of how that paranoia manifests itself. For instance, it's good to be paranoid enough that the thought of reusing your perlmonks password elsewhere never even occurs to you. We do, afterall, need to deal with reality as it is.

        That said, I'd prefer it we had a secure login. I wouldn't even mind a self-signed cert.

        -sauoq
        "My two cents aren't worth a dime.";
        
Re: Secure Perlmonks
by kudra (Vicar) on Jul 09, 2003 at 19:56 UTC
    I made a second account (after properly informing the appropriate people) to use from work and at conferences because of the same concern. But it turned out to be too much trouble, so I just use my account now, or anon if I'm feeling lazy/paranoid. You might consider that option.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://272674]
Approved by gjb
Front-paged by ehdonhon
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (6)
As of 2024-03-19 02:43 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found