[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
coderman
coderman at gmail.com
Thu Sep 29 20:50:24 UTC 2005
On 9/29/05, Tyler Close <tyler.close at gmail.com> wrote:
> ...
> I think keeping capability URLs in your bookmarks is a perfectly
> sensible thing to do, providing you then protect your bookmarks. I run
> OS X, so my entire filesystem is encrypted, including my bookmarks
> file.
this is similar to a password manager which most browsers already
support. in this case the entire file system is protected rather than
just a password database.
i really like this approach (full hdd encryption) as it alleviates
concern about sensitive/private/secret information that may reside in
the file system otherwise (either through application flaws, user
error, or OS mechanisms like swap space and deleted but intact inodes)
> This argument is a little out of date. You can get affordable HTTPS
> hosting from providers like GoDaddy and 1and1. ... running Apache
> on your home machine with a dyndns hostname and a 7.99 SSL
> certificate is also doable.
the virtual hosting problems are annoying; distinct IP's for each
distinct certificate is a serious hurdle in some cases. i would love
to know of ways to workaround this issue without hosting multiple
sites under a single domain.
> When I attend DefCon, I am always amazed that people are surprised by
> the Wall of Sheep, people who know that network snooping is possible.
> I guess you just have to experience the efficiency of live network
> snooping in order to truly appreciate it.
>
> With the rise of ubiquitous WiFi, passing secrets, even temporary
> ones, over the network in the clear is asking for trouble. Your 15
> minute session timeout is an eon on the timescale of a script watching
> the network for your protocol and exploiting it on the fly.
it's an eye opener for sure. we captured 94,805,303 packets / 10G
data in one room alone spanning 2.5 days of activity (i wonder how
much traffic the wall of sheep looked at).
dense metropolitan areas are teaming with signals full of information
that was never intended to be disclosed publicly. you should always
assume your network traffic is monitored unless proven otherwise
(where proof == strong encryption with secure key management).
on a related note, this latest draft is informative:
http://csrc.nist.gov/publications/drafts/800-21-Rev1_September2005.pdf
"Guide for Cryptography In the Federal Government"
best regards,
More information about the P2p-hackers
mailing list