|
Message-ID: <CAPS+U99y-C93h-fPEitvsgNzY4-kzY_gBdgTkr_6Ryhmaw_KDg@mail.gmail.com> Date: Tue, 12 Mar 2013 11:15:48 +1300 From: Pedro Worcel <pedro@...cel.com> To: john-users@...ts.openwall.com Subject: Re: OT: HTTPS for openwall.info? Hi there! It is obviously your domain and your name, but I (possibly the biggest noob in the mailing list) for one am a big fan of https. https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise The main reason I like it is because I am behind a restrictive firewall (at work), so while I don't understand how bad it is for a person in a country with a great firewall, I know it is a major pain in the ass for censors if websites use https only. (e.g. with github/china ordeal) =) Pedro 2013/3/12 Solar Designer <solar@...nwall.com> > On Mon, Mar 11, 2013 at 10:34:51PM +0100, buawig wrote: > > > any chance openwall.info will be reachable via HTTPS any time > > > soon? > > > > Any information/opinion on that? > > I have no current plans to spend/waste any of my time on this, sorry. > > Just use a unique password that you're not using elsewhere. HTTPS or > not, you should be doing this anyway, because the server might get > compromised and because you shouldn't trust us, the sysadmins, with > credentials to your other/unrelated accounts. ;-) As to someone > possibly capturing your password and making a wiki edit, it's not a big > deal. Anyone could simply register for an account and make an edit, and > we're monitoring the wiki for possible vandalism anyway. > > If we had many more users register for wiki accounts, this could be a > high priority task, but as it is it appears relatively unimportant to > me, compared to other things I might spend my time on (affecting > security of larger numbers of users or/and in more important ways). > > OK, here's one good reason for us to offer HTTPS access to the wiki > anyway: the example we provide to other sites accepting user/password > logins, including sites with substantial number of users. Maybe this is > in fact a reason for us to do it ourselves. > > BTW, DokuWiki uses md5crypt (at least the version we have deployed). > If we were serious about improving the security of our wiki, we'd need > to patch that, but frankly I don't bother. Irresponsible of me? In a > way, yes, but there are just so many other things to spend time on. > > If anyone wants to review what password hashes new versions of DokuWiki > use, and maybe patch that (perhaps to use phpass, which would default to > bcrypt on recent PHP) and submit the patch upstream, feel free to work > on that. It'd make more of a difference for the world at large than > patching or/and SSL'ing our one DokuWiki install. > > Alexander > -- GPG: http://is.gd/droope <http://is.gd/signature_>
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.