Some guidelines: 1. Https 2. The file on the https server is username/pass protected. 3. The username and pass combo has access ONLY to config files it should have. 4. Directory listing should ALWAYS be disabled.
If you can't use https or username/pass then at the very least, disable directory listing. For Polycom phones keep in mind: If the password to the phones http page is not changed then using the following script one will be able to read the sip credentials, while some might not mind it, there should be no reason for an end user to know the sip credentials. Here is the script, just paste it into a favorite button on your toolbar with any browser and whenever you see asterisks on a page hit it :D ===begin script, its one line=== javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Password is:\n\n" + s); else alert("No passwords");})(); ====end script==== This works even for saved passwords. Whats interesting is that even if the password was never entered or saved with the browser you are using, the Polycom interface will populate the real password masked with asterisks. With Polycom phones you can use the following (this is meant for when you give a phone to a customer but they are entering the provisioning settings): 1. Create a config file that is password protected with a temp password. 2. That config file should contain new config settings with a new unique username/pass conbo 3. Delete that file once accessed 4. In the configs change the interface password of the phone. 5. Make sure that directory listing is disabled on the http server and that the username/pass combo will only show this phones config files. Hope this helps. On Wed, Oct 27, 2010 at 8:28 AM, Andrew Latham <lath...@gmail.com> wrote: > http://wiki.snom.com/wiki/index.php/Settings/http_client_user > > On Wed, Oct 27, 2010 at 9:14 AM, Jonas Kellens <jonas.kell...@telenet.be> > wrote: >> On 10/27/2010 01:55 PM, Andrew Latham wrote: >>> Jonas >>> >>> A quick look at the snom wiki will tell you that I am right... >>> >> >> At what page are you looking then ?? >> >> I only see : http://wiki.snom.com/Settings/http_scheme >> >> >> Jonas. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users