|
2017-02-01, 14:20
|
#23 |
Aug 2012
New Hampshire
23·101 Posts |
Why?
Okay so there is a project underway to move the site to SSL or improve security. Fetching work and submitting work for misfit does not require you to authenticate only to pass in your user ID. This would of course mean that people's work can be compromised by some jerk face. So unless there's Authentication for fetching work by user ID and password and authentication for submitting completed work I don't see the point.
|
|
|
|
2017-02-01, 20:17
|
#24 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
13·733 Posts |
Quote:
There is probably no real value in moving Prime95/mprime/MISFIT clients to SSL since the password is not revealed during exchanges, and there are going to be many clients which were "fired and forgotten" years ago. So simple cleartext exchanges will have to continue to be supported (or, some "firepower" will be lost). On the other hand, there's no real downside in implementing SSL for new deployments. At the end of the day, this is mostly about the "human users" accessing the site, where both the Username and Password are passed in (effectively) cleartext (there's sometimes a little bit of obfuscation done on the password, but it's easily reversible). P.S. A learning experience for me... While GPU72 has supported SSL for many years, I tried implementing "Digest" rather than "Basic" authentication quite some time ago. Many people complained because their browsers "remembered the password" (they didn't), but the browsers didn't bother trying the same password across the two different Auth methods. |
|
|
|
|
|
2017-02-01, 20:33
|
#25 |
|
Aug 2012
New Hampshire
32816 Posts |
Well, my task was to move MISFIT to HTTPS for the mersenne.org site and it appears to be working.
Scott |
|
|
|
|
2017-02-01, 22:35
|
#26 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
13×733 Posts |
Quote:
Providing a free tool or service is quite possibly the hardest thing any developer can do. And you have done it well. |
|
|
|
|
|
2017-02-01, 22:55
|
#27 | |
"Kieren"
Jul 2011
In My Own Galaxy!
2×3×1,693 Posts |
Quote:
|
|
|
|
|
|
2017-02-01, 23:40
|
#28 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
13·733 Posts |
Quote:
|
|
|
|
|
|
2017-02-02, 03:01
|
#29 |
|
Aug 2012
New Hampshire
23×101 Posts |
Thanks for the recognition. I like that we did all the work when I had the time and we have a stable utility that doesn't require constant patching and such.
Has anyone else done any testing of MISFIT 2.11.0? Last fiddled with by swl551 on 2017-02-02 at 03:02 |
|
|
|
|
2017-02-02, 07:26
|
#30 | |
|
Serpentine Vermin Jar
Jul 2014
37×89 Posts |
Quote:
What spurred me into action recently was the fact that my corporate IT folks had setup some rules to find "leaking" security info going out the firewall and they flagged when I logged into the server from my work machine. Heck, it wouldn't have even been so bad if the form data being posted wasn't "username" and "password" which made it even more obvious what it was doing. You can see it for yourself, it's not hidden... it's part of the code on each page if you're not logged in, there's a <form method="post"> right there. Anyway, they emailed to confirm I had meant to do that (and not some rogue bot on our network), to which I sheepishly replied "yup". Then they further asked me "and your username was XX and your password was YY" to which I even more sheepishly replied "yup". So, it's bad enough to know a MITM scan can grab that, but then to see it happen (at least it was my own company, not some random person on a public wifi, which I would never actually use, I'm not insane) makes it hit home. So... for the price of $10 for a 3 year certificate, it's actually a very cheap way to make sure all is well. The prices of certs have definitely come WAY down. That's probably what kept us from doing it a couple years back. My first thought was "just POST the form to https" but then you don't see the site is secure when you're entering your password... unless you're really technical you wouldn't know it was secure when you hit "log in". And there's really no good reason NOT to secure the whole site... not anymore. I hope that explains the rationale more.  It really wasn't an arbitrary decision.
|
|
|
|
|
|
2017-02-02, 17:38
|
#31 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
224718 Posts |
Quote:
Two points: 1. I try to use paraphrases rather than passwords. Greater entropy, and easier to remember. 1.1. Interestingly, many sites limit password lengths to 16 characters. 2. I once did a small project for the United Nations. I had to spend about an hour filling out a multi-page SSL enabled web form where they wanted to know absolutely everything about me -- including my height, weight, blood-type, eye-color and penis length (I'm only half joking). 2.1. The punchline was they almost didn't retain me because I didn't have a degree, but sent back to me my submitted Username and Password in cleartext in a confirmation email "in case I forgot" what I had submitted. True story. |
|
|
|
|
|
2017-02-02, 19:55
|
#32 |
"/X\(‘-‘)/X\"
Jan 2013
3·977 Posts |
As soon as I see a length limit on a password I know it's being stored insecurely.
|
|
|
|
|
2017-02-02, 20:14
|
#33 | |
|
If I May
"Chris Halsall"
Sep 2002
Barbados
224718 Posts |
Quote:
|
|
|
|
|
 |
| Thread Tools | |
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Big milestone coming up | schickel | Aliquot Sequences | 8 | 2011-07-29 10:54 |
| Mersenne BOINC coming? | frmky | Software | 27 | 2011-02-20 08:52 |
| Dark times may be coming...? | OmbooHankvald | mersennewiki | 10 | 2005-10-24 06:26 |
| And the hits just keep on coming..... | R.D. Silverman | Factoring | 13 | 2005-10-04 10:02 |
| Coming to a DC project near you P4 2.4B/GA8SQ800 /pc3200 | dragongoddess | Hardware | 0 | 2003-03-22 15:49 |
