plain text authentication

decon

Joined: 2003-08-23
Posts: 2

Posted: Sun, 2003-08-24 09:42

00 03 6D 10 C6 32 00 A0 CC D1 04 88 08 00 45 00 00 60 BA F1 40 00 80 06 16 B4 0A 0A 0A 68 0A 0A 0A 77 12 F2 00 50 8B 6D B5 9B 2E F3 DA 0C 50 18 44 70 C8 75 00 00 63 6D 64 3D 6C 6F 67 69 6E 26 70 72 6F 74 6F 63 6F 6C 5F 76 65 72 73 69 6F 6E 3D 32 2E 33 26 75 6E 61 6D 65 3D 61 64 6D 69 6E 26 70 61 73 73 77 6F 72 64 3D 31 32 33 34

-----------
..m..2. ...ˆ..E..`.ñ@.€......h...w...P‹m.›....P.Dp.u..cmd=login&protocol_version=2.3&uname=admin&password=123

How about an encrypted session for this? plaintext icky! Maybe a little obfuscation?

Great job bythe way!!! I love gallery

paour

Joined: 2002-08-14
Posts: 1479

Posted: Sun, 2003-08-24 17:00

Hum... SSL or HTTPS is exactly what you're looking for. Obfuscation is no better than cleartext, especially if you're talking about Base64.

SSL/HTTPS is supported in GR 1.1, which just came out as a Release Candidate.

macemoneta

Joined: 2002-10-13
Posts: 17

Posted: Sun, 2003-08-31 02:53

The problem with the SSL/HTTPS implementation in GR is that it doesn't work with a self-signed certificate. If you are just using SSL for encrypting the passwords, there's no reason to register with a certificate authority. Web browsers will give you a warning (and let you import the certificate for future access), but they don't prevent access, as GR does.

paour

Joined: 2002-08-14
Posts: 1479

Posted: Sun, 2003-08-31 08:12

macemoneta wrote:

The problem with the SSL/HTTPS implementation in GR is that it doesn't work with a self-signed certificate. If you are just using SSL for encrypting the passwords, there's no reason to register with a certificate authority. Web browsers will give you a warning (and let you import the certificate for future access), but they don't prevent access, as GR does.

True. But Java makes the call as to whether to accept a certificate or not. I can't (or rather it would be very difficult and not worth it, IMHO) build a UI to automatically import the certificate. However, the manual explains how to import a certificate into the VM, even if the RootCA isn't trusted.

GR 1.1-RC1 even shows an error message pointing out the relevant info.

macemoneta

Joined: 2002-10-13
Posts: 17

Posted: Sun, 2003-08-31 14:06

The process to export/import the certificate poses too high a boundary for end users. The effect is that those that need security the most are least likely to use it. A knowledgeable individual can go though this process (or use SSH or IPSEC to secure communications), but a Gallery Remote end-user cannot be expected to. Their eyes will glaze over at "read this PDF file"... :D

Without a GUI interface in GR ("Hey! I don't trust this web site! Do you want to trust them anyway?" yes/no/remember), GR is effectively without security for the majority of its users. Since write access requires authentication, and authentication is too difficult in GR, the browser (and it's limited interface) are all sites should permit.

decon Joined: 2003-08-23 Posts: 2	Posted: Sun, 2003-08-24 09:42
	00 03 6D 10 C6 32 00 A0 CC D1 04 88 08 00 45 00 00 60 BA F1 40 00 80 06 16 B4 0A 0A 0A 68 0A 0A 0A 77 12 F2 00 50 8B 6D B5 9B 2E F3 DA 0C 50 18 44 70 C8 75 00 00 63 6D 64 3D 6C 6F 67 69 6E 26 70 72 6F 74 6F 63 6F 6C 5F 76 65 72 73 69 6F 6E 3D 32 2E 33 26 75 6E 61 6D 65 3D 61 64 6D 69 6E 26 70 61 73 73 77 6F 72 64 3D 31 32 33 34 ----------- ..m..2. ...ˆ..E..`.ñ@.€......h...w...P‹m.›....P.Dp.u..cmd=login&protocol_version=2.3&uname=admin&password=123 How about an encrypted session for this? plaintext icky! Maybe a little obfuscation? Great job bythe way!!! I love gallery
	XUser login Username: * Password: * Create new account Request new password
paour Joined: 2002-08-14 Posts: 1479	Posted: Sun, 2003-08-24 17:00
	Hum... SSL or HTTPS is exactly what you're looking for. Obfuscation is no better than cleartext, especially if you're talking about Base64. SSL/HTTPS is supported in GR 1.1, which just came out as a Release Candidate.

macemoneta Joined: 2002-10-13 Posts: 17	Posted: Sun, 2003-08-31 02:53
	The problem with the SSL/HTTPS implementation in GR is that it doesn't work with a self-signed certificate. If you are just using SSL for encrypting the passwords, there's no reason to register with a certificate authority. Web browsers will give you a warning (and let you import the certificate for future access), but they don't prevent access, as GR does.

paour Joined: 2002-08-14 Posts: 1479	Posted: Sun, 2003-08-31 08:12
	macemoneta wrote: The problem with the SSL/HTTPS implementation in GR is that it doesn't work with a self-signed certificate. If you are just using SSL for encrypting the passwords, there's no reason to register with a certificate authority. Web browsers will give you a warning (and let you import the certificate for future access), but they don't prevent access, as GR does. True. But Java makes the call as to whether to accept a certificate or not. I can't (or rather it would be very difficult and not worth it, IMHO) build a UI to automatically import the certificate. However, the manual explains how to import a certificate into the VM, even if the RootCA isn't trusted. GR 1.1-RC1 even shows an error message pointing out the relevant info.

macemoneta Joined: 2002-10-13 Posts: 17	Posted: Sun, 2003-08-31 14:06
	The process to export/import the certificate poses too high a boundary for end users. The effect is that those that need security the most are least likely to use it. A knowledgeable individual can go though this process (or use SSH or IPSEC to secure communications), but a Gallery Remote end-user cannot be expected to. Their eyes will glaze over at "read this PDF file"... :D Without a GUI interface in GR ("Hey! I don't trust this web site! Do you want to trust them anyway?" yes/no/remember), GR is effectively without security for the majority of its users. Since write access requires authentication, and authentication is too difficult in GR, the browser (and it's limited interface) are all sites should permit.

plain text authentication

XUser login