httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] IP-address spoofing a concern?
Date Wed, 28 Jan 2009 14:21:26 GMT
Brian Mearns wrote:
> On Wed, Jan 28, 2009 at 7:18 AM, André Warnier <aw@ice-sa.com> wrote:
>> Anyway, the OP did not sound like he was talking about an access to Fort
>> Knox, although you never know..
> 
> Oh shoot! Now you've blown my cover! =J
> 
> Man in the middle is what it is, I'm not really that concerned about
> it because I'm not dealing with anything too critical. I just want to
> provide some fairly robust security for a handful of users. I've got a
> lot to work with from this conversation, which is good. Ultimately,
> I'm going to leave it up to users whether or not they want to connect
> with HTTPS, and make it clear that this is the only way to really
> secure the session and data.
> 
The sorry part about the Internet (and also about real life 
unfortunately), is that there are actually people out there who seem to 
enjoy putting a lot of effort into cracking sites and do damage when 
they get in, without gaining any apparent material advantage out of it. 
  There are also real gangsters, who are not looking at damaging your 
site particularly, but at using it as a platform to attack more juicy 
targets.
So the fact of not having anything too critical on your own site is not 
a guarantee that they won't try.
And it is indeed better to try and build some security in your site from 
the start, rather than waiting until the first damage appears.
By the way, the attacker might be one of the very people registered on 
your site too, whether they do it on purpose or not.  So do not trust 
anything that registered users submit in their forms either.
And watch your logfiles regularly.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message