Bona Fide OS Developer
View unanswered posts | View active topics It is currently Tue Mar 19, 2024 12:52 am



Post new topic Reply to topic  [ 23 posts ]  Go to page Previous  1, 2, 3  Next
 Forum PW's... 
Author Message

Joined: Wed Oct 14, 2009 9:39 am
Posts: 198
Location: United States
Post Re: Forum PW's...
Kieran wrote:
But, snce most people will access this website from home, more then likely via a wireless router, possibly with a wiredconnection for their main computer.

As long as the router is secured and the loca exchanges are the then your data is secure from all but government agencies.

As far as I can see the main security risk would be ARP (Arp Posion Routing) to re-route network traffic, but this requires a direct link with the client, which would be hard to achieve if the correct security is used i.e. WPA2 or a network using a Radius server for network authenticaton.


Not entirely. If two people are on the same subnet/router/switch [depends on configuration], then packets can be captured. You are assuming that all people are using routers, and none of them are DMZ'd. I can place a DMZ system onto the say At&t DSL network, can capture the packets from all the other people on the same hub. ARP-poisoning leading to a MitM attack would be useful for injecting and controlling the TCP streams, but a straight up Wireshark sniff on a subnet will result in all clear text passwords. On top of that most wireless routers default security is WEP, which can be cracked in a few minutes. It comes down to end-to-end encryption and verification. I would recommend getting a SSL Cert for us if we put ads in place to pay for it (GoDaddy has them for a low price).

_________________
Charles Timko
push %esp ;Musings of a computer addict


Sun Aug 15, 2010 6:20 pm
Profile WWW
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
Or our own CA... I can install EJBCA which is a good solution. Or use windows CA. You pay quite a bit for a certificate from most major CA's

_________________
Thank you for reading,

Kieran C G Foot


Thu Aug 19, 2010 12:16 pm
Profile WWW

Joined: Wed Oct 14, 2009 9:39 am
Posts: 198
Location: United States
Post Re: Forum PW's...
That you do. If we do our own CA, a link to download the cert so the browser stops complaining about it not being able to verify it would be good. I know that there are some places that do free 1 year certs for open source projects, and we might be able to qualify.

_________________
Charles Timko
push %esp ;Musings of a computer addict


Sat Aug 21, 2010 10:53 am
Profile WWW
Site Admin

Joined: Fri Jul 24, 2009 10:02 pm
Posts: 247
Location: Las Vegas, NV, US
Post Re: Forum PW's...
I could buy one for like $15 and now that I think of it, I have a spare waiting to be used at namecheap.com. I just hate https setup especially since it needs its own IP.

Can't wait to have the new TLS SNI stndard accepted: http://en.wikipedia.org/wiki/Server_Name_Indication


Wed Sep 15, 2010 3:33 pm
Profile
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
I'd propose using EJBCA due to it's flexibility and it will preserve complete control

_________________
Thank you for reading,

Kieran C G Foot


Thu Sep 16, 2010 4:35 am
Profile WWW
Site Admin

Joined: Fri Jul 24, 2009 10:02 pm
Posts: 247
Location: Las Vegas, NV, US
Post Re: Forum PW's...
EJBCA?


Thu Sep 16, 2010 1:37 pm
Profile
Site Admin

Joined: Sat Jul 25, 2009 7:44 am
Posts: 274
Location: United Kingdom
Post Re: Forum PW's...
Its an OpenSource Cross-Platform Certification Authority, that runs under JBoss or GlassFish.

Its really good, but a bit of a pain to install.

Its also tried and tested... Used by governments too...

You can build CA's, Sub-CA's and all possible Certificate Types.

So a complete certificate chain/tree can be created.

_________________
Thank you for reading,

Kieran C G Foot


Fri Sep 17, 2010 7:16 am
Profile WWW

Joined: Wed Oct 14, 2009 9:39 am
Posts: 198
Location: United States
Post Re: Forum PW's...
brenden wrote:
I could buy one for like $15 and now that I think of it, I have a spare waiting to be used at namecheap.com. I just hate https setup especially since it needs its own IP.

Can't wait to have the new TLS SNI stndard accepted: http://en.wikipedia.org/wiki/Server_Name_Indication


Not true. TLS uses the hostname and IP address as the superkey. I have 2 TLS Certs on the same server for two different hosts. As for the $15, yea, GoDaddy is pretty cheap now....so in short, SNI isn't a standard, it's on a RFC, which makes it a really good suggestion. All major browsers support it. ((I have been writing my own webserver for a while now and I am getting into the TLS area))

_________________
Charles Timko
push %esp ;Musings of a computer addict


Thu Sep 23, 2010 9:39 am
Profile WWW

Joined: Thu Jan 27, 2011 6:28 pm
Posts: 8
Post Re: Forum PW's...
If you can see 2 lines of php code here then this hack didn't work, otherwise if you see the word "LOL" anywhere on the page then the hack worked via php injection
";echo "lol";
';echo "lol;
and the reply post routine needs looking at


Fri Jan 28, 2011 12:16 am
Profile

Joined: Thu Jan 27, 2011 6:28 pm
Posts: 8
Post Re: Forum PW's...
ok for some reason one of my quotation marks vanished, but the hack failed so this forum is secure!


Fri Jan 28, 2011 12:17 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page Previous  1, 2, 3  Next


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin and tweaked by the BF Team.