Re: Security + Licensing

[Gunnar Hjalmarsson]

Let me first say, as I have done several times before, that Ringlink's security level is not very high. The starting-point for my considerations in this respect is that the information registered in a webring system is rather trivial.

The most important security messure that can be taken is to backup the data regularly. A Ringlink system owner can easily backup the data for all the rings in the system, and a ringmaster can easily download a backup file with the data for his/her ring.

Jayant Kumar Gandhi wrote:

Presently password is passed thru hidden form field.
Wouldn't it be better if we use sessions.

One of the ideas in my head is to replace the hidden password fields with cookies. That's how passwords typically are handled on the Internet these days. Using temporary files appears to me to be unnecessary complicated.

Benefit:
Make the system far more secure than present.

Even if I have similiar thoughts, I have to ask: What can happen today, that would be prevented if the hidden password fields were replaced? "Far more secure" you say. In which respects?

I will have the link to RingLink on all pages but do
not wish to have the version number displayed. Why?
For some extra security. If a person knows which
version of RingLink it is, he might know exploit to
it.

I have difficulties to understand how that could be a security issue worth mentioning. The current release includes the version number on the admin pages, but not on the list page. I see two reasons to keep it on the admin pages:

1) Ringmasters who host their rings on someone else's system can see which version that is being used, and with that which of the features, described at the Ringlink site, the system includes.

2) It makes support more easy.

But if you prefer to remove the version number (but keep the link) on your Ringlink copy, I have no problem with that. For the reasons just mentioned, I'm not ready to remove it in the original program, though.

/ Gunnar