On Thu, 1 Feb 2001 23:17:05 -0500, Pierre Abbat said:
> On Thu, 01 Feb 2001, David Bishop wrote:
> >Well, to replicate what I assume a lot of people here do (i.e., maintain web
> >servers/ftp servers) it is crucial that you limit who can upload to the
> >machine, but not who sees what is *on* the machine. So the fact that I'm
> >uploading a new index.html to my machine isn't sensitive at all, anyone who
> >goes to my box can see that. However, I obviously don't want just anyone to
> >be able to upload to my machine. To be honest, that is a *lot* more common
> >for me than having actual sensitive data. If I didn't know that it would be
> >taken advantage of by script kiddies and idiots, I would open up my whole
> >machine to the 'net, cuz I frankly have nothing on there that I care if
> >anyone else sees. It's just limiting who can *change* it that I care about.
>
> What I would do in this case, where the data have to go fast and can go in the
> clear but the authentication must be encrypted, is use rsync without ssh and
> set a password on the module. The password will be authenticated with a
> challenge-response protocol, then rsync will transmit whatever part of the data
> has changed.
>
> phma
I was using the uploading to a web server as an example, but really, any
connexion I make could fall under the same umbrella of "need secure auth, not
transport". With *all* of the insecure protocols I use (ftp, pop3, telnet,
etc) I don't care if you watch every single bit I send back and forth, just
so long as you can't steal my user/pass. I know in the Era of Privacy
Advocates it's odd to see someone who truly doesn't care, but I don't :-)
D.A.Bishop
