On February 8, 2003 at 00:40, Gunnar Hjalmarsson wrote:
And how would incoming messages be piped in automatically? If you
are implying some HTTP method, this can be very insecure. The only
way to do this securely is to have mhastart.pl accessible only via
an SSL connection and password access. A client (maybe written in
LWP) could be written that connects via HTTPS, and sends the proper
username/password with the message. Of course, the access to client
itself would need to be protected to avoid someone getting access
to the password.
Do you mean that invoking MHonArc from a script run under mod_perl
requires a higher security level than when invoked from a CGI script?
No, they both require the same level of security, especially if
doing any automated based invocation.
However, mod_perl does carry a some more risk since any "script"
is running within the context of an HTTP server process and not
an isolated process like a CGI program is.
In the end it's of course up to each user to choose based on an
evaluation of potential risks in the light of the nature of the archive,
supplementary backup procedures etc.
The problem is people fail to make a proper evaluation, typically
making the false assumption that "I do not have anything of worth."
When there are straight-forward steps for making things more secure,
they should be done. The cost of dealing with someone who has hacked
into your data is much higher than the cost of setting up decent road
blocks to prevent such events.
--ewh
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV