| Bona Fide OS Development http://forums.osdever.net/ |
|
| Forum PW's... http://forums.osdever.net/viewtopic.php?f=15&t=163 |
Page 2 of 3 |
| Author: | ctimko [ Sun Aug 15, 2010 6:20 pm ] |
| Post subject: | Re: Forum PW's... |
Kieran wrote: But, snce most people will access this website from home, more then likely via a wireless router, possibly with a wiredconnection for their main computer. As long as the router is secured and the loca exchanges are the then your data is secure from all but government agencies. As far as I can see the main security risk would be ARP (Arp Posion Routing) to re-route network traffic, but this requires a direct link with the client, which would be hard to achieve if the correct security is used i.e. WPA2 or a network using a Radius server for network authenticaton. Not entirely. If two people are on the same subnet/router/switch [depends on configuration], then packets can be captured. You are assuming that all people are using routers, and none of them are DMZ'd. I can place a DMZ system onto the say At&t DSL network, can capture the packets from all the other people on the same hub. ARP-poisoning leading to a MitM attack would be useful for injecting and controlling the TCP streams, but a straight up Wireshark sniff on a subnet will result in all clear text passwords. On top of that most wireless routers default security is WEP, which can be cracked in a few minutes. It comes down to end-to-end encryption and verification. I would recommend getting a SSL Cert for us if we put ads in place to pay for it (GoDaddy has them for a low price). |
|
| Author: | Kieran [ Thu Aug 19, 2010 12:16 pm ] |
| Post subject: | Re: Forum PW's... |
Or our own CA... I can install EJBCA which is a good solution. Or use windows CA. You pay quite a bit for a certificate from most major CA's |
|
| Author: | ctimko [ Sat Aug 21, 2010 10:53 am ] |
| Post subject: | Re: Forum PW's... |
That you do. If we do our own CA, a link to download the cert so the browser stops complaining about it not being able to verify it would be good. I know that there are some places that do free 1 year certs for open source projects, and we might be able to qualify. |
|
| Author: | brenden [ Wed Sep 15, 2010 3:33 pm ] |
| Post subject: | Re: Forum PW's... |
I could buy one for like $15 and now that I think of it, I have a spare waiting to be used at namecheap.com. I just hate https setup especially since it needs its own IP. Can't wait to have the new TLS SNI stndard accepted: http://en.wikipedia.org/wiki/Server_Name_Indication |
|
| Author: | Kieran [ Thu Sep 16, 2010 4:35 am ] |
| Post subject: | Re: Forum PW's... |
I'd propose using EJBCA due to it's flexibility and it will preserve complete control |
|
| Author: | brenden [ Thu Sep 16, 2010 1:37 pm ] |
| Post subject: | Re: Forum PW's... |
EJBCA? |
|
| Author: | Kieran [ Fri Sep 17, 2010 7:16 am ] |
| Post subject: | Re: Forum PW's... |
Its an OpenSource Cross-Platform Certification Authority, that runs under JBoss or GlassFish. Its really good, but a bit of a pain to install. Its also tried and tested... Used by governments too... You can build CA's, Sub-CA's and all possible Certificate Types. So a complete certificate chain/tree can be created. |
|
| Author: | ctimko [ Thu Sep 23, 2010 9:39 am ] |
| Post subject: | Re: Forum PW's... |
brenden wrote: I could buy one for like $15 and now that I think of it, I have a spare waiting to be used at namecheap.com. I just hate https setup especially since it needs its own IP. Can't wait to have the new TLS SNI stndard accepted: http://en.wikipedia.org/wiki/Server_Name_Indication Not true. TLS uses the hostname and IP address as the superkey. I have 2 TLS Certs on the same server for two different hosts. As for the $15, yea, GoDaddy is pretty cheap now....so in short, SNI isn't a standard, it's on a RFC, which makes it a really good suggestion. All major browsers support it. ((I have been writing my own webserver for a while now and I am getting into the TLS area)) |
|
| Author: | JamieGBH435 [ Fri Jan 28, 2011 12:16 am ] |
| Post subject: | Re: Forum PW's... |
If you can see 2 lines of php code here then this hack didn't work, otherwise if you see the word "LOL" anywhere on the page then the hack worked via php injection ";echo "lol"; ';echo "lol; and the reply post routine needs looking at |
|
| Author: | JamieGBH435 [ Fri Jan 28, 2011 12:17 am ] |
| Post subject: | Re: Forum PW's... |
ok for some reason one of my quotation marks vanished, but the hack failed so this forum is secure! |
|
| Page 2 of 3 | All times are UTC - 6 hours [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|