[geeklog-devel] Atom publishing

Tony Bibbs tony at tonybibbs.com
Thu May 29 17:44:20 EDT 2008


Yeah, I thought the same thing.  I guess my only additional justification is that doing the encryption isn't much work and it would require some hunting and pecking (e.g. what files use this database, where's the code that looks up the key, where's they key).   Your last point about limiting what you can do remotely makes sense which gets to what I said about also considering having remotely published stuff going to submission queues.

--Tony

----- Original Message ----
From: Vincent Furia <vfuria at gmail.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Thursday, May 29, 2008 4:34:02 PM
Subject: Re: [geeklog-devel] Atom publishing

Why encrypt the web services password at all?  There is a good chance, if an attacker has access to your database he has access to your filesystem (and the encryption key).  Additionally, what a person can do from a third party web site should be limited for security reasons anyway.

-Vinny

On Thu, May 29, 2008 at 3:19 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
Dunno, pick a place.  a .txt file on the file system?!?  In that case the system would want to ensure the .txt file is locked down permission-wise.

I think your point is where ever we store it we'd better lock it down best as we can.  Couldn't agree more.

--Tony

----- Original Message ----
From: Joe Mucchiello <joe at ThrowingDice.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Thursday, May 29, 2008 3:37:24 PM
Subject: Re: [geeklog-devel] Atom publishing


Where do you store the cipher key?

At 04:09 PM 5/29/2008, Tony Bibbs wrote:
>That said, my original question is still valid.  If we stored a
>password encrypted some 2-way cipher in the DB you could

----
Joe Mucchiello
Throwing Dice Games
http://www.throwingdice.com

_______________________________________________


geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel



_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20080529/eccc03c4/attachment.html>


More information about the geeklog-devel mailing list