On Jun 14, 2018, at 1:51 PM, John Long <codeb...@inbox.lv> wrote:
>
> having to have browser tabs open for dozens of web forums
I bookmark all of the sites I need to go to regularly and place them in a
folder in my browser’s bookmark bar so that I can open them all at once with a
Cmd- or Ctrl-Click on the folder. As I read each forum, I close that tab.
I actually keep two such folders, “Daily” and “Weekly,” suggesting my visiting
frequency, which is set by how often I expect interesting content to appear.
> having to come up with and manage
> passwords for each of those
I’m not aware of any mailing list that doesn’t require a password, if only via
some outer SSO provider. Such a thing would be a spammer’s paradise, if it
existed.
I don’t see this web forum depending on someone else’s SSO solution. (OAuth,
OpenID, etc.) That would be very un-Fossil.
> and have to actively monitor each one to
> see if anything of interest happens to appear
Yes, just like Usenet. :)
Opening a folder of bookmarks in a browser isn’t much different than opening a
Usenet client that’s subscribed to an equivalent number of groups. Both
aggregate access to many fora, opened with a single user action.
> Most mailing lists assign you a password
I subscribe to a whole lot of mailing lists, and I can’t come up with one where
I was given the password instead of having to generate it with my password
manager.
“A small minority,” I believe, but not “most.”
Certainly not GNU Mailman as configured at fossil-scm.org or at sqlite.org, at
any rate.
> and you don't even have to keep track of it; many
> email you password reminders on a regular basis
If the mailing list is able to email you your password, it’s ripe for attack:
they cannot possibly be hashing and salting their passwords, as is industry
best practice:
https://security.stackexchange.com/q/51959
(Pro tip: if a web site has a maximum password length limit under 32 characters
or so, chances are good that they’re storing your password in plaintext, since
hashing the password inherently converts it to a fixed length. Higher limits
are more likely input sanity limits rather than risk indicators.)
The closest to your usability ideal that I’ve seen is automatic password resets
via email, which is itself a vulnerability, since it means anyone who can
access your email account is able to take over any such service associated with
that email account. This is what happened in the famous Mat Honan identity
theft:
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
People say, “Oh, it’s just my Google account, who cares if a bad guy takes that
over?” This being the account that is associated with their Android phone,
which is associated with their mobile phone company account, which is
associated with their credit card account, which is associated with a large
chunk of their financial life, so now they’re pwned.
Whatever drh decides to build, using a significant slice of his limited time on
this planet, which time I have no call on, I expect he will take password
security seriously, evidenced by Fossil’s users table:
https://www.fossil-scm.org/xfer/doc/trunk/www/tech_overview.wiki
(Section 2.2.4.)
> Web forums are right out.
Would you rather see drh spending time fighting spam or writing useful software?
At least if he spends his time building a forum system atop Fossil, we can all
use it on our own projects as well. His time spent fighting email spam has
much more ephemeral benefits.
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
