Brian Mearns wrote:
The sorry part about the Internet (and also about real life unfortunately), is that there are actually people out there who seem to enjoy putting a lot of effort into cracking sites and do damage when they get in, without gaining any apparent material advantage out of it. There are also real gangsters, who are not looking at damaging your site particularly, but at using it as a platform to attack more juicy targets. So the fact of not having anything too critical on your own site is not a guarantee that they won't try. And it is indeed better to try and build some security in your site from the start, rather than waiting until the first damage appears. By the way, the attacker might be one of the very people registered on your site too, whether they do it on purpose or not. So do not trust anything that registered users submit in their forms either.On Wed, Jan 28, 2009 at 7:18 AM, André Warnier <aw@xxxxxxxxxx> wrote:Anyway, the OP did not sound like he was talking about an access to Fort Knox, although you never know..Oh shoot! Now you've blown my cover! =J Man in the middle is what it is, I'm not really that concerned about it because I'm not dealing with anything too critical. I just want to provide some fairly robust security for a handful of users. I've got a lot to work with from this conversation, which is good. Ultimately, I'm going to leave it up to users whether or not they want to connect with HTTPS, and make it clear that this is the only way to really secure the session and data.
And watch your logfiles regularly. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx