Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Secure Login

by Anonymous Monk
on Apr 24, 2003 at 20:59 UTC ( [id://253002]=monkdiscuss: print w/replies, xml ) Need Help??

Hi, is there a secure way to login to Perlmonks? Thanks.

Replies are listed 'Best First'.
Re: Secure Login
by theorbtwo (Prior) on Apr 25, 2003 at 00:06 UTC

    No, there isn't, and one isn't likely to be added any time terribly soon. The reason is that the insecurity isn't in HTTP being cleartext, but rather in the cookies not being as opaque as they should be.

    (If you're interested in changing that fact, level 7 or higher, and trustworthy, you might want to consider becoming a pmdevil.)

    Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

[reply]

      Making the cookie content more opaque wouldn't help. Snooping an opaque cookie is just as simple as snooping the login details or the plaintext cookie.

      Moving to an expiring key based authentication system with a secure login would reduce the window of opportunity for highjacking. Encrypting everything over https makes it more secure (if, of course, you trust the gods and pmdev).

      However, personally, for something like perlmonks I really don't think it's worth the effort or cost.

[reply]
Re: Secure Login
by LameNerd (Hermit) on Apr 24, 2003 at 21:10 UTC
    Does it matter? What are you afraid of? Just don't use your realname.
    or post anything that might reveal <dramatic music>your true identity!
    And don't get hung up about XP. If you do those things why would you care if
    someone was to spoof your perlmonks login?
[reply]
    A reply falls below the community's threshold of quality. You may see it by logging in.
Re: Secure Login
by Jaap (Curate) on Apr 25, 2003 at 09:37 UTC
    This thread isn't going where i expected it to go. Identity theft is a problem imho and personally i expected the elite perl hackers® to recognize that. It's true that the original poster had a weak argument in the 'trustworthyness' of the code posted, but identitytheft is something any programmer should be aware of.

    On a practical side: the way the login system is set up now (with the cookie) would not be secure over http after a login over https. So that would require some modification.
[reply]
Re: Secure Login
by fokat (Deacon) on Apr 28, 2003 at 18:02 UTC

    I guess this is a wrong solution for a correct problem. The solution I decided a while ago, includes signing the code I upload to CPAN with GPG, so that people can verify it. This still gives no assurance so as to the potentially malicious intent that a given author might have, but allows users to authenticate the code properly.

    Best regards

    -lem, but some call me fokat

[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Perl Monks Discussion

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: monkdiscuss [id://253002]
Approved by Mr. Muskrat
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (5)
As of 2024-04-24 12:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found