Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2009-06-10 08:04:51
- saccade
- Plugin Author
- From: Neubeuern, Germany
- Registered: 2004-11-05
- Posts: 521
Protection Quality
I’m dealing with a few different scenarios of protection.
Basically some txp installs should be completely private.
What is best or what are the pro’s and con’s with different ways of protection?
- protected directory
- rvm_privileged
- txp:password_protect
- ign_password_protect
- is there any encryption?
more?
Does anyone have tipps or advice?
Thanks!
Offline
Re: Protection Quality
- protected directory
- HTTP authentication
- requires other tools to update the list of allowed users + passwords
- rvm_privileged
- requires people to log in on the admin side first.
- small, due to use of built in TXP functionality
- txp:password_protect
- only allows one user/password combination
- HTTP authentication
- doesn’t work in all server setups.
- ign_password_protect
- HTTP authentication (doesn’t work in all server setups) or login form
- many features… which does make it a rather big plugin.
- duplicates a lot of TXP code, without tracking the changes in the actual TXP core code, which is important for things that concern security.
- HTTP authentication transmits the password as plain text, though you could tunnel it through HTTPS.
- The other authentication methods transmit the password unencrypted when logging in (again, HTTPS would solve that), but use hashes to maintain state.
Offline
#3 2009-06-29 21:25:06
- saccade
- Plugin Author
- From: Neubeuern, Germany
- Registered: 2004-11-05
- Posts: 521
Re: Protection Quality
Hi ruud,
nice to have you here :)
Thanks for that good overview!
“tunnelling password transmission” has to be done with other tools as I understand. correct?
And: As far as I see: currently there is no way that Textpattern asks and transmits password requests encrypted? What I think of: I open a Textpattern site, Textpattern switches to forced HTTPS and asks for a login which will be transmitted encrypted. Should be the safest way to keep your online treasures of information private?
Offline
Re: Protection Quality
HTTPS = HTTP tunneled through an SSL/TLS connection (that’s what I meant with my tunneling comment)
I think any other attempt to encrypt the password would be reinventing the wheel.
Keep in mind though, that the initial password is sent through email (good old SMTP), which is as unencrypted as HTTP is.
Last edited by ruud (2009-06-29 21:42:48)
Offline
Re: Protection Quality
I used only .htaccess + .htpassword combination for hideing all site (it was site of school). Me and client was satisfited with combination of safety and usability )
Providing help in hacking ATM! Come to courses and don’t forget to bring us notebook and hammer! What for notebook? What a kind of hacker you are without notebok?
Offline
#6 2009-06-29 21:47:28
- saccade
- Plugin Author
- From: Neubeuern, Germany
- Registered: 2004-11-05
- Posts: 521
Re: Protection Quality
ok, I see.
When setting one’s own password while working from within a HTTPS connection and NOT sending it by e-mail again should solve the second point. This of course leads to using the txp users authentication.
Thanks for your help!
Offline
Re: Protection Quality
The upcoming version 4.2 will allow you to segment the admin side from the front-end and run it over https if you so desire.
Offline
Pages: 1