Ajai Khattri wrote:
On Fri, 2 Jan 2009, Allen Shaw wrote:
Basic auth seems enough to protect my todo list from abuse
Unless you're using HTTPS, that security is not sufficient since your
password will be sent as clear text across an open network...
Agreed. I should have worded it more clearly: Basic auth over http seems
"secure enough" to protect my todo list from abuse, considering its
relative value to me. However, given the inherent limitations of basic
auth over a non-encrypted connection, the stakes get considerably higher
when we consider that I'm accepting shell script arguments over the web
-- poor security could easily lead to arbitrary code being passed to the
shell by anyone who cares enough to sniff out the basic auth credentials.
Basic auth will prevent the casual drifter from writing graffiti on my
todo list. To prevent real damage to the server itself, I'm relying on
the script to police the input. Bad idea?
- A.
--
Allen Shaw
slidePresenter (http://slides.sourceforge.net)
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
