Re: Re: for the security minded web developer - secure way to login?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



German Geek wrote:
well httpus seems like a good idea though. Thats the kind of response i was
hoping for. :-)

Maybe browsers would implement that idea in the future. I like that idea a
lot actually. I mean when you login to your linux server the first time with
openssh, you also have to accept the certificate. In the end you have to
trust something somewhere anyway, even if it's just the programmers of the
browser and other software...

If your server is remote, yes, the very first time you have to accept the public key. After that you can pass the key to other hosts you plan to log in.


I mean who seriously looks through all the source code of the linux kernel
even though it is open source?

A lot of people do. That's how potential exploits are found.


And even if someone does it (good on them),
do they understand every single line? A back door could be just a few lines
of hard to understand code, that you might skip. It could even be encrypted
and assembly making it very hard to decipher. Who has that much time and
brains?

kernel engineer.
The NSA.
Etc.

With windows you have to trust M$ even more because you cannot even
look, and i seriously doubt anyone can disassemble the whole windows OS and
read the code. They would not finish in this life time, not even through
50MB of source code i believe. That's a lot!

At least parts of the windows source are made available to those who have a need to see it, have a lot of money, and are willing to sign an NDA. It's extremely hard to get access, but it can be done.


A warning at the top of the page like as if there were blocked content would
be sufficient until the user clicks to confirm the validity of of the cert.
The warning could just stay until clicked or don't show me again or
something like that.

I agree - the way Opera does it is sufficient.


FF3 atm changes the whole page when a cert is not authenticated. httpus
could have a small warning but leave the site in shape and let it work. This
would also have to be implemented in web servers though, but why not? Seems
like a brilliant idea to me. The warning could also only be displayed once.

The way opera does it, you click a button to accept it for one session. If you want to accept it permanently, you have to click the security tab on the warning and check a box. That's the way it should be done in FF3.

It's not the job of FireFox to second guess the user. Inform them of the issue, but don't try to force them into rejecting it by making it over cumbersome to accept it.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux