 | | Re: Email Authentication - Why not make it optional?
|
|
Amen to you Brad. I've just gotten onto LUGNET, and it's an absolute hassle to post because of the e-mail authentication. As to how anybody could like this is absolutely bizarre to me, it is time consuming and for the most part unecessary to 99% of (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp, lugnet.general)
|
| |
| | Re: E-mail authentication during posting
|
|
I'm agreeing too.. This kind of authentication is bothering me.... ---> Less messages... "r2" <lego@r2eng.com> schrieb im Newsbeitrag news:GF5CCF.9vH@lugnet.com... (...) and (...) in (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: Email Authentication - Why not make it optional?
|
|
(...) Likewise. I'm happy to see the authentication system implemented. It's been one of my longest-standing concerns about LUGNET's security, and frankly, I'm surprised we've gone as long as we have without it. (...) Yeah, that. I'm not sure what (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp, lugnet.general)
|
| |
| | Re: Email Authentication - Why not make it optional?
|
|
(...) Well allow me to say that I am glad that Todd implemented this measure. Mostly because since it has been implemented, we have gotten rid of the annoying clone. And it will continue to help LUGNET remain a very nice friendly place that I (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp, lugnet.general)
|
| |
| | Email Authentication - Why not make it optional?
|
|
This email authentication is driving me nuts! A lot of people were already timid about posting and now its going to be worse. Since this has happened, I've seen one reply of the nature "Great - I'm so happy you did this!" post and a huge number of (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp, lugnet.general)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) I'm not either -- at least not as something that can be relied upon for everyone. (...) Ya, it's fine for short-term login things when mixed with a password, but HTTP proxy servers really complicate the equation. Basically you can't trust the (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) Inline authentication is used with success in some mailing list packages for moderating lists, but what worries me most about inline authentication is how easy it would be to accidentally cc someone when posting via e-mail (for example, if you (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) you can't have the server scan for the users password in the message, since passwords arn't usually saved anywhere on the server at all. So to check for the password, each word, or combination of chars actually (since space can be part of the (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) Some tricks could be played to make it more secure. One would be to scan the message for the user's password and if it found it, but it didn't seem to be part of an authenticator, bounce the message. It could also use a fuzzy match for the (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) Not to mention the fact that many businesses and ISP's (Roadrunner for one) use DHCP so peoples IP's can and do change from day to day. I agree with Jake in his view that IP based authentication just won't work. Eric Kingsley (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
"Kerry Raymond" <kerry@dstc.edu.au> wrote in message news:GF5uAo.5x1@lugnet.com... (...) in (...) That's quite a neat idea, but as you say prone to risk of revealing the password. I still think that using NNTP authentication will work, esp. if it (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) It would be nice if each NNTP message could carry its own authentication in some simple software-independent solution. One way that might work (for LUGnet members anyway) would be to search the message body for the string (say): (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) And it'd have to be something that can't be easily automated by the poster - this defeats the scheme. I've seen some web pages which generate a bitmap containing a string which isn't easily scanned, and asks you to type the string in to (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) I think that's a concern we all share, including Todd. I know that he has been very concerned about that every time the issue has come up in the past. What we have to do is work towards a system which is as painless as possible, which does not (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
Hi Todd - I'd also like to thank you for this. Now LUGNET is more secure. I do want to continue to voice the concerns a few others have had here though. I also use a newsreader 90% of the time to post, and its an inconvenience. It would be great if (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) Personally, I am not a big fan of doing anything IP based. There are far too many problems. AOL dials, multiple computers (I regularly use three myself) and many other issues have made me decide against this method time and time again. <END (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) IP addresses can easily be spoofed, as long as you don't need an interactive session... as in, if I just need to send an HTTP POST, and don't need to read the reply, I can spoof the source ip with no problem. :/ (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) Not currently, no. Let me think about IP-based authentication for a while. (...) This I can definitely do, but it will have to be at least somewhat interactive so that someone doesn't accidentally cause a message to get posted simply by (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) What Dan said, plus I think IP addresses could be spoofed... ++Lar (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
| |
| | Re: E-mail authentication during posting
|
|
(...) but by doing that, you'll be breaking the whole authentication process - If I know that you have such a rule that auto authorizes posts by you, I can spoof posts as you with no problem... your auto-reply will authorize them without (...) (23 years ago, 19-Jun-01, to lugnet.admin.nntp)
|
