With the undeniable proliferation of internet cafes/wireless access points in addition to public terminals routinely found in libraries, etc. I cannot help but ruminate
on the potential security implications. With PM user information (login and password) being passed to the server in plaintext (unencrypted form), there is essentially nothing to prevent an interloper from utilizing a sniffer and/or keyboard logger so that he/she could gain unauthorized access to an account. Clearly, this could result in an incident that is more than merely annoying:
- Change your home node photo to something which clearly violates the terms of usage.
- Obtain user information (private email address), etc.
- Impersonate someone in the CB and/or send private messages designing to berate another PM user.
- In the event that a monk is a privileged member (pmdev, etc.), the potential ramifications obviously warrant a greater degree of concern.
- Change your password thereby locking you out of your own account. This scenario would dictate you contact an appropriate monk and verify your identity in some fashion. Perhaps an enigmatic/cryptic phrase could be agreed upon in advance.
- Provide the option for all monks to generate a relatively small list of disposable passwords (similar to a one-time pad). The monk in question would retain this list and use each password in sequential order only when logging in from a machine in a public setting. Once he/she logs out, the password that was used is invalidated thereby rendering a sniffer/keyboard logger completely ineffective.
- Create a checkbox under the password field that, if checked, would limit that specific session to CB conversations only.
I'm eager to hear what suggestions or criticisms (yes, even those) you collectively have.
If you've read this far, thanks. <grin>.