Re: a general security concern

[Gunnar Hjalmarsson <mailbox@gunnar.cc>]

Graham P Collins wrote:
> 
> when I'm logged in as the ring admin if I pull up "Inactive Sites",
> for instance, there are links on the page such as the remove link
> for a site:
> ...
> I'm concerned that all this info -- the site of the ringadmin page
> and the username and password to login to it -- is being passed
> across the internet with no security. What is to stop some hacker
> from sniffing packets to detect strings like this and then go and
> wreak havoc?
Even if I'm not able to do such things myself, I agree that it would be
possible for a hacker to do it. In my opinion, the security level is
still good enough; I find it very hard to believe that hacking a ring
would be challenging enough for a skilled hacker to bother about. But of
course there is a risk, and that's one reason why it's important to back
up the files regularly.
> How difficult would it be to set things up so that the ringlink
> tools would use SSL or something to hide this info?
Interesting question. I just did an experiment and changed the $cgiURL
variable in my own rlconfig.pm file to a URL that passes the info
through a secure server. One problem is that the value of $cgiURL is
used not only for admin purposes, but also for navigation, so this
simple solution is not good enough. I guess that the $cgiURL variable
would need to be divided into two variables, one for admin and one for
navigation.
However, please feel free to study my experiment - I will keep it this
way for a few hours.
/ Gunnar