Graham P Collins wrote:
when I'm logged in as the ring admin if I pull up "Inactive Sites",
for instance, there are links on the page such as the remove link
for a site:
...
I'm concerned that all this info -- the site of the ringadmin page
and the username and password to login to it -- is being passed
across the internet with no security. What is to stop some hacker
from sniffing packets to detect strings like this and then go and
wreak havoc?
Even if I'm not able to do such things myself, I agree that it would be
possible for a hacker to do it. In my opinion, the security level is
still good enough; I find it very hard to believe that hacking a ring
would be challenging enough for a skilled hacker to bother about. But of
course there is a risk, and that's one reason why it's important to back
up the files regularly.
How difficult would it be to set things up so that the ringlink
tools would use SSL or something to hide this info?
Interesting question. I just did an experiment and changed the $cgiURL
variable in my own rlconfig.pm file to a URL that passes the info
through a secure server. One problem is that the value of $cgiURL is
used not only for admin purposes, but also for navigation, so this
simple solution is not good enough. I guess that the $cgiURL variable
would need to be divided into two variables, one for admin and one for
navigation.
However, please feel free to study my experiment - I will keep it this
way for a few hours.
/ Gunnar