how 'bout logging in securely?

[jhu]

i have a lot of sensitive, top-secret info in my private message box.

 

[Paulson]

that'd require an ssl subscription or something wouldn't it?

that'd cost more money I think...

 

[aphex]

Originally posted by: jhu
i have a lot of sensitive, top-secret info in my private message box.

Well most of us dont, so i dont see it happening 😀

 

[n0cmonkey]

Originally posted by: Paulson
that'd require an ssl subscription or something wouldn't it?

that'd cost more money I think...

self signing is free. I did it.

 

[narzy]

it would cost a secuity certificate, also SSL puts a tremedous load on a server outside of normal web traffic think about it simply for a second, a web server has to sort and "packetize" traffic anyways, now this is a quick process, with SSL and especially with what your suggesting, you would have to secure not only the login process but everything beyond that aswell to secure your PM's with SSL its now standard 128 bit encryption, sure, servers encrypt the packets quickly on ONE connection at a time, stack that with the 600 other people who are logged in and you have a serious bottle neck, back log, lagging server issue.

AKA

not gonna happen,

not worth the time.

 

[Paulson]

yeah, a security certificate...

That's what I meant...

 

[Azraele]

If the information is that "top secret" and important, I'd recommend backing it up elsewhere rather than storing it in your pm box (if you're that concerned).

 

[GoodRevrnd]

Now I know whose account to h4x0r! 😀

 

[n0cmonkey]

Like I said, security certs cost $0 USD. I dont think encrypting the traffic would put that much of a strain on the servers. I doubt the webservers are all that loaded right now (I could be wrong). Plus, Id help spring for a couple of hardware based encryption boards. They're cheap and pretty useful (keep meaning to pick a couple up myself...).

I dont think it will happen, although secure login would be *great*, but its not such a tough idea.

 

[Jason Clark]

n0c, actually SSL puts alot of load on traffic, encryption takes time. With the kind of load we're under here it won't happen, and besides, this is not a private vault for people to store private info.

Thanks.

 

[n0cmonkey]

Originally posted by: Zuni
n0c, actually SSL puts alot of load on traffic, encryption takes time. With the kind of load we're under here it won't happen, and besides, this is not a private vault for people to store private info.

Thanks.

eh, so I was wrong. Its those ATOTers I tell ya! 😛

 

[tgillitzr]

Originally posted by: n0cmonkey

Originally posted by: Zuni
n0c, actually SSL puts alot of load on traffic, encryption takes time. With the kind of load we're under here it won't happen, and besides, this is not a private vault for people to store private info.

Thanks.

eh, so I was wrong. Its those ATOTers I tell ya! 😛

How about just doing it for subscribers?

 

[CTho9305]

You also have to consider that right now, you can't assume your data IS secure, so in the event of the breach, it will obviously not be ATs problem that your secret data is out. If, however, everything is encrypted, someone might try to hold them responsible for a loss of private data, which would obviously be a bad thing.

 

[sash1]

how about only allowing one IP on at once?

I mean, I can be logged on on my computer, teh rents computer, my laptop, and be logged on while I am at school all at the same time. It would be better if only one IP was allowed to be logged on to the same account.

Would this be hard Zuni?

~Aunix

 

[ProviaFan]

Originally posted by: AunixM3
how about only allowing one IP on at once?

I mean, I can be logged on on my computer, teh rents computer, my laptop, and be logged on while I am at school all at the same time. It would be better if only one IP was allowed to be logged on to the same account.

Would this be hard Zuni?

~Aunix

I can't see why that would be a good idea. If you only allowed a particular user to be logged on from one computer by some method, that would suck for those of us who have more than one computer and have each one set up to retain cookies so we're logged in "all the time".

 

[bsobel]

i have a lot of sensitive, top-secret info in my private message box.

You need to be concerned with the security of the backend, not with your data in transit. SSL is like asking to use an armored car to move funds between homeless people on two different park benches. While armored cars have their places, it's best to beef up security at the park benches first 😉

self signing is free. I did it.

Free and useless. it doesn't really solve a problem. Data in transit on the wire is not the weakness on the broad internet. Stealing a quote from Bruce, "This means that you are using SSL to establish a secure channel with a random person. Imagine you are sitting in a lightless room with a stranger. You know that your conversation cannot be eavesdropped on. What secrets are you going to tell the stranger? Nothing, because you have no idea who he is. SSL is kind of like that." With self signing you have no way to authenticate the remote server is who he said he is, and if someone does spoof dns or perform another misdirection attack you have no way to detect it.

Bill

 

[n0cmonkey]

Originally posted by: bsobel

self signing is free. I did it.

Free and useless. it doesn't really solve a problem. Data in transit on the wire is not the weakness on the broad internet. Stealing a quote from Bruce, "This means that you are using SSL to establish a secure channel with a random person. Imagine you are sitting in a lightless room with a stranger. You know that your conversation cannot be eavesdropped on. What secrets are you going to tell the stranger? Nothing, because you have no idea who he is. SSL is kind of like that." With self signing you have no way to authenticate the remote server is who he said he is, and if someone does spoof dns or perform another misdirection attack you have no way to detect it.

Bill

Its not useless at all. But I now agree with your point. I've thought about the authentication vs. encryption thing quite a bit lately. My method covers encryption (what I am concerned with on my setup), but not authentication and trust. Of course, you can't trust verisign which owns most of the 3rd party verification companies anyhow...