Textpattern Forum

You are not logged in. Register | Login | Help

#31 2008-11-04 10:23:52

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 4,480
Website

Re: What do you do to secure "/textpattern"?

artagesw wrote:

The difference is that your bank is securing that page with SSL, and you are likely not doing the same with your Txp site. Therefore, your user name and password are sent in the clear every time you log in, and can be intercepted by anyone who might be listening.

“Anyone who might be listening”… that requires access to a router on the path from your computer to the server where TXP is installed. Sure, it’s possible, but a bank is typically a more interesting target than the average TXP install. POP3 also works with plain text authentication, but you rarely hear about intercepted user/pass there.

I think the risk of a dictionary attack on weak user/pass combinations is greater than someone being able to sniff the user/pass due to the use of a non-secure connection. And using SSL doesn’t prevent a keylogger from grabbing the username/password when you enter it on your own computer nor does it protect users from phishing attacks.

Last edited by ruud (2008-11-04 10:39:05)

Offline

#32 2008-11-04 15:13:42

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Hey artagesw How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?


~ Cameron

Offline

#33 2008-11-04 15:34:13

Gocom
Developer
Registered: 2006-07-14
Posts: 4,403
Website

Re: What do you do to secure "/textpattern"?

How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?

It’s fairly possible, ‘cause it’s just subdomain. Just conf it to read textpattern’s admin dir.


Rah-plugins | What? I’m a little confused… again :-) <txp:is_god />

Online

#34 2008-11-04 16:28:20

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Gocom wrote:

bq. How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?

It’s fairly possible, ‘cause it’s just subdomain. Just conf it to read textpattern’s admin dir.

So what’s going where filewise?


~ Cameron

Offline

#35 2008-11-04 16:40:29

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,175
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

So what’s going where filewise?

It really depends on how your host handles sub domains. Mine will let me easily point my subdomain to ANY directory which would make this easy. It would then just be a matter of blocking access from the other domain.


My Plugins

Piwik Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#36 2008-11-05 12:58:22

wet
Developer
From: Lenzing, Austria
Registered: 2005-06-06
Posts: 3,087
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

Evil hackers using such a Google dork usually look for something like this. That’s the downside of a monoculture…

Offline

#37 2008-11-05 19:02:22

artagesw
Developer
From: Seattle, WA
Registered: 2007-04-29
Posts: 227
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

Hey artagesw How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?

My method requires a few changes to the core code, so it is a bit involved. (My mods also allow for multi-site support from a single txp install.) I’m talking with the txp devs about whether it would make sense to incorporate these changes into txp core, which would make it a much simpler process.

Meantime, as others have noted, if your host supports subdomain pointing then that would be the easiest way to go (along with a mod_rewrite or similar rule to block direct access to the /textpattern directory).

Offline

#38 2008-11-05 19:09:33

artagesw
Developer
From: Seattle, WA
Registered: 2007-04-29
Posts: 227
Website

Re: What do you do to secure "/textpattern"?

ruud wrote:

“Anyone who might be listening”… that requires access to a router on the path from your computer to the server where TXP is installed. Sure, it’s possible, but a bank is typically a more interesting target than the average TXP install. POP3 also works with plain text authentication, but you rarely hear about intercepted user/pass there. I think the risk of a dictionary attack on weak user/pass combinations is greater than someone being able to sniff the user/pass due to the use of a non-secure connection. And using SSL doesn’t prevent a keylogger from grabbing the username/password when you enter it on your own computer nor does it protect users from phishing attacks.

Hi Ruud,

Some installations will require that all user logins be secured via SSL as part of a company-wide or corporate policy. For example, we use Textpattern in a corporate environment where this is mandatory. These same environments certainly prohibit use of unsecured protocols like POP3/plaintext as well. So, it would be nice if Txp accommodated these types of installations in as simple a manner as possible.

Offline

Board footer

Powered by FluxBB