Re: Secure Perlmonks
by chromatic (Archbishop) on Jul 09, 2003 at 14:18 UTC
|
Would you feel more comfortable with Digest authentication? I realize it's not as secure as 128-bit SSL, but it's better than cookies or Basic authentication.
| [reply] [Watch: Dir/Any] |
|
| [reply] [Watch: Dir/Any] |
|
Yes.
MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!" | I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README). | ** The third rule of perl club is a statement of fact: pod is sexy. |
| [reply] [Watch: Dir/Any] |
Re: Secure Perlmonks
by barrd (Canon) on Jul 09, 2003 at 13:45 UTC
|
Hi Mirage,
Getting a SSL certificate costs money, this site is generously donated by several people & companies. If you're that paranoid please go to the donations page and contribute.
Its not like this site is storing credit card numbers or anything?
No offence meant - peace.
/me ~ barrd | [reply] [Watch: Dir/Any] |
|
| [reply] [Watch: Dir/Any] |
|
Yes, you can self-sign your own certificates and that will do well enough for encryption, but most browsers will not accept it for authentication. That means users will get confusing errors popping up every time the go to log on until they configure their browser to trust the certificate. That kind of stuff scares away users.
| [reply] [Watch: Dir/Any] |
|
|
Re: Secure Perlmonks
by MrCromeDome (Deacon) on Jul 09, 2003 at 15:25 UTC
|
FYI, we've already been over this at some length in this node.
Cheers!
MrCromeDome | [reply] [Watch: Dir/Any] |
Re: Secure Perlmonks
by pzbagel (Chaplain) on Jul 09, 2003 at 20:10 UTC
|
Simple. Just set up a system somewhere (on your broadband connection at home, in a colo, anywhere you can reach it from the internet at large). Run openssh (Secure Shell) on it. Run a squid proxy configured to only allow loopback connections. Now ssh to the box, forward local port 8080(or whatever) to 127.0.0.1:<sqiudport> on the remote host. Now configure your browser's proxy settings to point to 127.0.0.1:8080(or whatever you chose as the local port) and surf away. All your connections will be encrypted via SSH until they reach the remote machine at which point the squid proxy will go out and retrieve the web pages for you. No prying eyes on the LAN you are on will be able to see what you are doing, unless they look at your monitor. This also gets around most URL filtering for when you are doing <ahem> research...
Or you can just relax and go with the flow...
Later
| [reply] [Watch: Dir/Any] |
|
Well, I just wondered the scenario to which such concern is caused? For one, Perl Monks generates a random password for you, so its not like you're using a password from somewhere else, for two, there's not a whole lot of information that they keep on you.
If someone is taking the time to sniff packets on your network, then you have likely got a lot more to worry about then just your perlmonks password. I'm a security professional, and I'm extremely paranoid about these sort of things, but I find no real cause for concern here.
Also you should consider what kind of network you are on. Say you are at work, well then its likely you're on a switched network. If that's the case you have little to worry about unless you are worried that perlmonks.org is sniffing your passwords, since only the target machine would be able to catch the packets... that is of course unless you have someone on your switched network that knows how to do ARP poisoning, but that takes a level of expertise and patience.
If you are worried about hackers on your network, and you are worried about someone doing ARP poisoning to sniff your packets, well, you should be much more worried that the person may have already hacked your machine and created a back door account!
Cheers
| [reply] [Watch: Dir/Any] |
|
If someone is taking the time to sniff packets on your network, then you have likely got a lot more to worry about then just your perlmonks password.
the time is just a simple dsniff that runs in the background.
Also you should consider what kind of network you are on. Say you are at work, well then its likely you're on a switched network
switched networks are no real match, as you can fake packets
that will confuse the switch, so you can get all the packages you want. I think especially as a security expert you shouldn't feel all safe because its may seem hard it do - as long as it is possible there is the danger.
By the way, hackers are not people who enter into machines and try to harm others.
see here
| [reply] [Watch: Dir/Any] |
|
|
|
Re: Secure Perlmonks
by zentara (Archbishop) on Jul 09, 2003 at 14:49 UTC
|
Perlmonks is already slow enough. Running ssl would just drag it down another notch. Just be an "anonymous monk" from shared
connections. With all the scanners going out there, you can be sure that some government agency already has your password, so who are you trying to hide it from? | [reply] [Watch: Dir/Any] |
|
And who cares - really? So someone else can impersonate me. Big Whoop. PerlMonks isn't the sort of place where impersonation has (the majority of the time) real consequences. If the rat bastard did something naughty, you'd come back, assert your innocense and we'd all understand. Your paranoia with regard to your PM username is unfounded.
| [reply] [Watch: Dir/Any] |
|
Your paranoia with regard to your PM username is unfounded.
You know the saying... "just because you're paranoid doesn't mean they're not out to get you."
I rather think that being paranoid about computer security is generally a good thing. It's a question of how that paranoia manifests itself. For instance, it's good to be paranoid enough that the thought of reusing your perlmonks password elsewhere never even occurs to you. We do, afterall, need to deal with reality as it is.
That said, I'd prefer it we had a secure login. I wouldn't even mind a self-signed cert.
-sauoq
"My two cents aren't worth a dime.";
| [reply] [Watch: Dir/Any] |
|
|
Re: Secure Perlmonks
by kudra (Vicar) on Jul 09, 2003 at 19:56 UTC
|
I made a second account (after properly informing
the appropriate people) to use from work and at
conferences because of the same concern. But it
turned out to be too much trouble, so I just use my
account now, or anon if I'm feeling lazy/paranoid.
You might consider that option.
| [reply] [Watch: Dir/Any] |