On Mon, Nov 3, 2014 at 11:00 AM, Tim Kuijsten <[email protected]> wrote:
>> Tim, is your server storing passwords in plain text? If so, that's >> probably your biggest security problem. > > Hi Sam, yes, but I'll use a file that only the superuser can read. That's what i meant, anyone who roots your server owns your passwords. Check out SRP, or more modern equivalents: http://en.wikipedia.org/wiki/Password-authenticated_key_agreement chrooting and dropping is a good thing, but its not like no attacker has ever gotten out of a chroot jail, or just decided the http server wasn't the weakest link, and got in some other way. If you are going through this trouble, you may want more depth to your defence. >> Have you considered OAUTH, so that passwords don't flow through your >> server at all? > > Given the controversy around oauth2 [4] One loud critic doesn't equate to a controversy. And there is both OAUTH and OAUTH2. They only work for web-clients, of course, so may not be appropriate for your use. No keying material on your server has some nice security properties. Cheers, Sam -- Job board: http://jobs.nodejs.org/ New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CACmrRmQNVD8FZZ2PW0PXjcCNFLsdU7eOpZMS0RDCpj9MUr49Fg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
