cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: [proposal] Doco
Date Tue, 28 Oct 2003 21:33:36 GMT

> doco has a very precise editing access point. You can
> *ONLY* modify xml content.

> The unique and only security concern here is defacement.

OK.  So not the full site content, just the XML content and images?  So then
the exposure is "only" defacement, page hijacking through a REFRESH
meta-tag, scripting exploits, etc.

> I really appreciate your concerns and, please, keep in mind that I read
> and send my email via SSH tunnels

Same here.  :-)

> I think you proposed to use SMTP over SSL for mail relay, that would
> reduce the ability of somebody to prevent sniffing the continuation-ID
> and provide that attack.

STMP AUTH over SSL.  Moderators would have a password, and SSL would protect
it.

> I do agree it would help reducing the risk, but would all moderator's
> SMTP server support that?

Ah  :-)  I was expecting that the moderator would connect *directly* to
moof, in which case only their MUA would have to support SMTP AUTH and SSL.

> Another solution is to force moderators to digitally sign their email,
> but this would require a much more intrusive setup.

I wasn't suggesting such, no.

	--- Noel


Mime
View raw message