On Tue, 2012-09-25 at 11:13 +0200, Oleksandr Shneyder wrote: > Am 25.09.2012 11:01, schrieb Moritz Struebe: > > On 2012-09-25 10:47, Oleksandr Shneyder wrote: > >> Sure, it is a > >> fail of system administrator, if he allow such unecrypted authentication > >> over Internet. But I don't even give them a possibility to make such > >> mistake... > Sorry, here should be "I don't want to give" instead of "I don't give" > > > > > I don't really get your point. The credentials are used by the browser > > anyway - because otherwise there would be no need for a proxy. I don't > > think it's our job to disable features because of incompetent system > > administrators. After all proxy authentication is normally used within LANs. > > I don't want to disable any features. I only say, it is nice to have a > possibility to send authentication data to server encrypted. In LAN it > is not a such big problem to send it in clear text. But in case of > SSH-Proxy it is an Internet connection. And I want, that every one, who > use this feature with X2Go know, that sending unecrypted data over > Internet is not safe. And that should not be the same authentication > data as used on other servers. <snip> I very much agree with Alex here. Although we can absolve ourselves of the responsibility, it is wiser to do as much as we can to prevent both admins and users from shooting themselves the stupid things they may do. For example, it is not just a matter of a sloppy admin not realizing they should use a separate authentication domain for the proxy; even if they do, we have the social engineering problem of users using the same password for the proxy as for anything else. Once one intercepts that password, a cracker will try it everywhere they can for that user. Thus, I would strongly advocate all authentication even to the proxy be protected by encryption. Thanks - John
_______________________________________________ X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev