Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPS+U99y-C93h-fPEitvsgNzY4-kzY_gBdgTkr_6Ryhmaw_KDg@mail.gmail.com>
Date: Tue, 12 Mar 2013 11:15:48 +1300
From: Pedro Worcel <pedro@...cel.com>
To: john-users@...ts.openwall.com
Subject: Re: OT: HTTPS for openwall.info?

Hi there!

It is obviously your domain and your name, but I (possibly the biggest noob
in the mailing list) for one am a big fan of https.

https://www.eff.org/deeplinks/2012/12/end-year-blog-post-2012-https-rise

The main reason I like it is because I am behind a restrictive firewall (at
work), so while I don't understand how bad it is for a person in a country
with a great firewall, I know it is a major pain in the ass for censors if
websites use https only. (e.g. with github/china ordeal)

=)

Pedro


2013/3/12 Solar Designer <solar@...nwall.com>

> On Mon, Mar 11, 2013 at 10:34:51PM +0100, buawig wrote:
> > > any chance openwall.info will be reachable via HTTPS any time
> > > soon?
> >
> > Any information/opinion on that?
>
> I have no current plans to spend/waste any of my time on this, sorry.
>
> Just use a unique password that you're not using elsewhere.  HTTPS or
> not, you should be doing this anyway, because the server might get
> compromised and because you shouldn't trust us, the sysadmins, with
> credentials to your other/unrelated accounts. ;-)  As to someone
> possibly capturing your password and making a wiki edit, it's not a big
> deal.  Anyone could simply register for an account and make an edit, and
> we're monitoring the wiki for possible vandalism anyway.
>
> If we had many more users register for wiki accounts, this could be a
> high priority task, but as it is it appears relatively unimportant to
> me, compared to other things I might spend my time on (affecting
> security of larger numbers of users or/and in more important ways).
>
> OK, here's one good reason for us to offer HTTPS access to the wiki
> anyway: the example we provide to other sites accepting user/password
> logins, including sites with substantial number of users.  Maybe this is
> in fact a reason for us to do it ourselves.
>
> BTW, DokuWiki uses md5crypt (at least the version we have deployed).
> If we were serious about improving the security of our wiki, we'd need
> to patch that, but frankly I don't bother.  Irresponsible of me?  In a
> way, yes, but there are just so many other things to spend time on.
>
> If anyone wants to review what password hashes new versions of DokuWiki
> use, and maybe patch that (perhaps to use phpass, which would default to
> bcrypt on recent PHP) and submit the patch upstream, feel free to work
> on that.  It'd make more of a difference for the world at large than
> patching or/and SSL'ing our one DokuWiki install.
>
> Alexander
>



-- 
GPG: http://is.gd/droope <http://is.gd/signature_>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.