On Wed, 25 Jun 2014, Tom Hayward wrote:
On Wed, Jun 25, 2014 at 7:32 AM, Eric H. Christensen
<[email protected]> wrote:
Also, it appears that the server supports EXPORT cipher suites. I'd recommend
just supporting HIGH ciphers.
Thinking a little more outside the box, how about supporting null
cipher, for those users coming from from ham RF networks? By
supporting HIGH and eNULL, the browser gets to choose. Most browsers
will choose HIGH, unless the ham has specifically configured their
browser not to allow encryption.
In principle I'm in favor of the NULL cipher. I hung out on the OpenSSH list for a year
or more trying to get them to put the NULL encryption back in, specifically to support
ham networks. What I got back from the developers was something like: "Tell your
government to not use such stupid rules for radio!" or similar. In the end all I
could do was split off the NULL patches from the High Performance Computing monster
patch, and the HPC guy said he would maintain it as a separate patch from now on. That's
SSH though, not SSL, but same principles apply.
How is this secure compared to plain text http?
1) The remote server is authenticated (not currently the case, because
Curt did not tell us which self-signed cert to expect. Maybe he could
send a PGP-signed message to let us know what key to expect on the
server, or get his cert signed by one of the free, trusted CAs like
StartCom)
Really necessary? Seriously, it's a Wiki password that's at risk here, and
perhaps a few Wiki pages, that can be reconstructed if they're mangled. If an
account gets compromised, let me know and I'll fix things up.
I'm all for security when it's truly necessary, but let's go easy here. No
personal data is on this site, not credit card info, nothing.
2) You can turn on SSL client authentication and use it in lieu of
passwords. There's a MediaWiki extension for this:
http://www.mediawiki.org/wiki/Extension:SSL_authentication, and the
ARRL signs certificates, free (free wold-wide, regardless of
membership), that can be trusted more than a CAPTCHA.
Again, I wanted a simple way to get to https. I don't have unlimited time to
play with the server, plus would like to get back to doing releases and/or code
development. The ARRL certificates sound wonderful, but there's a bunch of
work I'd need to do, plus each ham would have to go through the process to get
their own certificate. I kind'a doubt that will get done just for a wiki
login. The people who would win out are the ones that have already gone
through the process for other reasons, like contest logging.
Let's table this discussion for a while. I need to implement automated backups
of the list config, list archives, mysql dump, server configs, and wiki
configs. Right now that's my #1 priority for the server. Also need to push
out another stable Xastir release, whether or not we do the map cleanups that
were suggested previously.
Oh yea, and the reverse DNS doesn't work yet so some of the list emails can't
go out, to servers that check such. I've submitted a trouble-ticket to
cloudatcost but so far there's been no movement on it. I would apologize to
those that aren't getting the list emails, but they won't get this message
either!
--
Curt, WE7U. http://wetnet.net/~we7u
APRS Client Capabilities: http://wetnet.net/~we7u/aprs_capabilities.html
_______________________________________________
Xastir mailing list
[email protected]
http://xastir.org/mailman/listinfo/xastir
