On Wed, Jan 28, 2009 at 9:21 AM, André Warnier <aw@xxxxxxxxxx> wrote: > Brian Mearns wrote: >> >> On Wed, Jan 28, 2009 at 7:18 AM, André Warnier <aw@xxxxxxxxxx> wrote: >>> >>> Anyway, the OP did not sound like he was talking about an access to Fort >>> Knox, although you never know.. >> >> Oh shoot! Now you've blown my cover! =J >> >> Man in the middle is what it is, I'm not really that concerned about >> it because I'm not dealing with anything too critical. I just want to >> provide some fairly robust security for a handful of users. I've got a >> lot to work with from this conversation, which is good. Ultimately, >> I'm going to leave it up to users whether or not they want to connect >> with HTTPS, and make it clear that this is the only way to really >> secure the session and data. >> > The sorry part about the Internet (and also about real life unfortunately), > is that there are actually people out there who seem to enjoy putting a lot > of effort into cracking sites and do damage when they get in, without > gaining any apparent material advantage out of it. There are also real > gangsters, who are not looking at damaging your site particularly, but at > using it as a platform to attack more juicy targets. > So the fact of not having anything too critical on your own site is not a > guarantee that they won't try. > And it is indeed better to try and build some security in your site from the > start, rather than waiting until the first damage appears. > By the way, the attacker might be one of the very people registered on your > site too, whether they do it on purpose or not. So do not trust anything > that registered users submit in their forms either. > And watch your logfiles regularly. Thanks for the advice. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|