WARNING: user security maybe at risk?
Kashgarinn
- I'd be interested in knowing whether and how users of CCTW are
affected, if I ever try it out on a wireless, or get help doing it
(dont' have a wireless computer) I'll post the findings.
BTW, am I the only one left here interested in this wiki?
VL
1. you are not the only one interested in this wiki but you are
probably the most active (which is perfect)...
2. my understanding is that cctiddly wikis are impractical for huge
amounts of data (the content sent back-and-forth), so putting SSL on
your web server would not have any impact on performance of that
component - I use an old Compaq Deskpro as a web server with enforced
https, I only have few users and wikis are between 5-10MB in size,
thus for me this works fine
3. in any serious (business) environmnent wifis are encrypted; that
should take care of your concerns
4. cookies can be accompanied with other "integrity" marks such as IP,
username, hidden field in html form - which should increase resistance
against open wifi attacks in private environments
5. conclusion - generally I wouldn't put a very sensitive stuff into
html/PHP/javascript-based wikis anyway; for that one would need
something more serious, like end-to-end encryption in the form of,
perhaps, DRM technologies, or at least a certificate-based protection;
pure html content is difficult to protect
VL
> --
> You received this message because you are subscribed to the Google Groups "ccTiddly" group.
> To post to this group, send email to ccti...@googlegroups.com.
> To unsubscribe from this group, send email to cctiddly+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/cctiddly?hl=en.
>
>
--
VL
Kashgarinn
On Nov 8, 7:17 am, VL <vladimir.luk...@gmail.com> wrote:
> Hi,
>
> 1. you are not the only one interested in this wiki but you are
> probably the most active (which is perfect)...
out there.
> 2. my understanding is that cctiddly wikis are impractical for huge
> amounts of data (the content sent back-and-forth), so putting SSL on
> your web server would not have any impact on performance of that
> component - I use an old Compaq Deskpro as a web server with enforced
> https, I only have few users and wikis are between 5-10MB in size,
> thus for me this works fine
everything at the start, I haven't though tried it yet, it's on my
todo list to check it out.
> 3. in any serious (business) environmnent wifis are encrypted; that
> should take care of your concerns
and a winxp laptop.
> 4. cookies can be accompanied with other "integrity" marks such as IP,
> username, hidden field in html form - which should increase resistance
> against open wifi attacks in private environments
are kept today is entirely safe, but I don't have enough experience
programming to check and/or improve it yet.
> 5. conclusion - generally I wouldn't put a very sensitive stuff into
> html/PHP/javascript-based wikis anyway; for that one would need
> something more serious, like end-to-end encryption in the form of,
> perhaps, DRM technologies, or at least a certificate-based protection;
> pure html content is difficult to protect
HTTPS only connections, to not make it show anything if a user isn't
authenticated, and have user authentication via LDAP. I am though
concerned about the cookies, and whether the authentication
verification currently is good enough (I have my suspicions it
isn't). There is an option of sending the user/pass after a sha1
scramble, but I haven't looked into it enough to make it work
properly. I've been trying to discover what would be the most
properly secure way to send a user/pass to the server and how that
differs from current method, but it's a tough thing to verify and see
what needs fixing.
S.
whatever
w