George Kirikos wrote: > At present, for those not using the API, the RWI interface represents > the most rich target for a potential attacker. Gaining unauthorized > access, they could wreak havoc on an account.
If Tucows were actually concerned with security, the RWI interface should be changed to require a Client Certificates [in addition to a password]. We have an internal application where we generate certificates for all client access to a reporting website; sure it is a serious pain to deal with people who don't even know what browser they are using, but it means we have zero maintenance of passwords and absolute control over who has access to what. We actually use the fully qualified DN in the certificate to limit access to a specific subtree. More information available if desired... John _______________________________________________ domains-gen mailing list [email protected] http://discuss.tucows.com/mailman/listinfo/domains-gen
