[Date Prev][Date Next][Thread Prev] [Thread Next][Date Index] [Thread Index]

Re: Security + Licensing

  • From: Jayant Kumar Gandhi  
  • Date: Tue, 3 Dec 2002 22:33:14 -0800 (PST)
--- Gunnar Hjalmarsson <gunnar@xxxxxxxxxxxx> wrote:

security level is not very high. The starting-point
for my 
considerations in this respect is that the
information registered in a 
webring system is rather trivial.


What if some unauthorized person gains access and
downloads backup and hence has email addresses,
passwords of people and can do anything with them....
 

One of the ideas in my head is to replace the hidden
password fields 
with cookies. That's how passwords typically are
handled on the Internet 
these days. Using temporary files appears to me to
be unnecessary 
complicated.


What I suggested is also cookies, but they are called
session cookies. They work everywhere unlike cookies
which might be disabled at many places.


Even if I have similiar thoughts, I have to ask:
What can happen today, 
that would be prevented if the hidden password
fields were replaced? 
"Far more secure" you say. In which respects?


Presently if suppose the superadmin leaves the system
unattended, anyone can view source of page and get the
password


I have difficulties to understand how that could be
a security issue 
worth mentioning. The current release includes the
version number on the 
admin pages, but not on the list page. I see two
reasons to keep it on 
the admin pages:

1) Ringmasters who host their rings on someone
else's system can see 
which version that is being used, and with that
which of the features, 
described at the Ringlink site, the system includes.

2) It makes support more easy.

But if you prefer to remove the version number (but
keep the link) on 
your Ringlink copy, I have no problem with that. For
the reasons just 
mentioned, I'm not ready to remove it in the
original program, though.


I was asking permission for removing it on my copy
only.
Reason: I do not want ring admins (who start a ring)
to know it and hence may be able to exploit bugs in
that version.
It may sound silly to you but I am generally very
perticular about security, and do not want that
anyone's personal info. is leaked as they trusted me
when they gave me their email-address and
password(which is generally same everywhere). 
As far as they looking for features is concerned, I
will have a detailed feature list w/ explanation on my
site.

Best Regards,
Jayant.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Follow-Ups from:
Gunnar Hjalmarsson
References to:
Gunnar Hjalmarsson
[Date Prev][Date Next][Thread Prev] [Thread Next][Date Index] [Thread Index]