To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.admin.generalOpen lugnet.admin.general in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Administrative / General / 9469
9468  |  9470
Subject: 
 Re: posting varification, ug!
Newsgroups: 
 lugnet.admin.general
Date: 
 Mon, 13 Aug 2001 17:33:48 GMT
Viewed: 
 265 times
  
Steve Bliss wrote:
In lugnet.admin.general, Dan Boger writes:
true that that's only for the web interface.  However, I don't know the
distribution of users between web/nntp/smtp.  Do you have any data?

I'm willing to bet that the distribution of posting has shifted toward the
Web interface since the authentication has gone into effect.  At least among
LUGNET *members*.

nod - that does make sense.  I know Jennifer and I still don't use the web interface, but we're special :)

Authenticated posting only makes sure you're allowde to access the server -
it does not (without hacking at the news server), make sure you post only as
yourself.  As such, it would not solve the problem that the posting auth came
to solve.

If members are spoofing posts, there's a real problem.  I'd think that if
someone does NNTP-authentication to their membership id/password[1], they
should be able to post via NNTP without further confirmations.

since anyone can become a member, if a malicious user wanted to spoof Suz, for instance, all he had to do is fork out $10...  Doesn't sound like much of a problem to me...  True, it might be easier to track such spoofs down, but it won't stop them from happening.

1) If NNTP-authentication passes passwords in the clear, then this approach
should not be considered.  Unfortunately. :(

they are, but so are http based passowrds - but if someone has the ability to sniff the traffic coming out of your computer, it's very likely that he'd be able to get your cookies, your passwords and anything else he wants...

:)

Dan



Message has 1 Reply:
  Re: posting varification, ug!
 
(...) Ya, this is somewhat of a loophole (but a known one, and mentioned when the authentication mechanism was announced) and it needs closing. On the other hand, if someone were to try this, their Member ID would appear in the NNTP headers of the (...) (23 years ago, 14-Aug-01, to lugnet.admin.general)

Message is in Reply To:
  Re: posting varification, ug!
 
(...) I'm willing to bet that the distribution of posting has shifted toward the Web interface since the authentication has gone into effect. At least among LUGNET *members*. (...) If members are spoofing posts, there's a real problem. I'd think (...) (23 years ago, 13-Aug-01, to lugnet.admin.general)

15 Messages in This Thread:





Entire Thread on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact

This Message and its Replies on One Page:
Nested:  All | Brief | Compact | Dots
Linear:  All | Brief | Compact
    
Custom Search

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR