Re: [Tools-team] Agenda for the 14 June 2006 Teleconference
Henrik Levkowetz <henrik@levkowetz.com> Thu, 15 June 2006 09:28 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1Fqo9m-0001Sj-QW; Thu, 15 Jun 2006 05:28:54 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1Fqo9l-0001Sd-Nt
for tools-team@ietf.org; Thu, 15 Jun 2006 05:28:53 -0400
Received: from av12-2-sn2.hy.skanova.net ([81.228.8.186])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fqo9k-0004YO-6H
for tools-team@ietf.org; Thu, 15 Jun 2006 05:28:53 -0400
Received: by av12-2-sn2.hy.skanova.net (Postfix, from userid 502)
id 587EF37E82; Thu, 15 Jun 2006 11:28:51 +0200 (CEST)
Received: from smtp4-1-sn2.hy.skanova.net (smtp4-1-sn2.hy.skanova.net
[81.228.8.92]) by av12-2-sn2.hy.skanova.net (Postfix) with ESMTP
id 4656737E43; Thu, 15 Jun 2006 11:28:51 +0200 (CEST)
Received: from shiraz.levkowetz.com (81-232-110-214-no16.tbcn.telia.com
[81.232.110.214])
by smtp4-1-sn2.hy.skanova.net (Postfix) with ESMTP id EF67837E47;
Thu, 15 Jun 2006 11:28:50 +0200 (CEST)
Received: from localhost ([127.0.0.1])
by shiraz.levkowetz.com with esmtp (Exim 4.62)
(envelope-from <henrik@levkowetz.com>)
id 1Fqo9h-00046p-1i; Thu, 15 Jun 2006 11:28:50 +0200
Message-ID: <44912851.1090501@levkowetz.com>
Date: Thu, 15 Jun 2006 11:28:49 +0200
From: Henrik Levkowetz <henrik@levkowetz.com>
User-Agent: Thunderbird 1.5.0.4 (Macintosh/20060530)
MIME-Version: 1.0
To: Tero Kivinen <kivinen@iki.fi>
Subject: Re: [Tools-team] Agenda for the 14 June 2006 Teleconference
References: <44902CF5.4030606@levkowetz.com> <17552.16412.516987.746408@fireball.kivinen.iki.fi> <449049D5.9030204@levkowetz.com>
<17553.9149.494061.90468@fireball.kivinen.iki.fi>
In-Reply-To: <17553.9149.494061.90468@fireball.kivinen.iki.fi>
X-Enigmail-Version: 0.94.0.0
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: henrik@levkowetz.com
X-SA-Exim-Scanned: No (on shiraz.levkowetz.com);
SAEximRunCond expanded to false
X-Spam-Score: 0.1 (/)
X-Scan-Signature: b1c41982e167b872076d0018e4e1dc3c
Cc: Tools-team <tools-team@ietf.org>
X-BeenThere: tools-team@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "The purpose of the TOOLS team is to provide IETF feedback and
guidance during the development of software tools to support
various parts of IETF activities." <tools-team.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tools-team>,
<mailto:tools-team-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tools-team>
List-Post: <mailto:tools-team@ietf.org>
List-Help: <mailto:tools-team-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tools-team>,
<mailto:tools-team-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0897485159=="
Errors-To: tools-team-bounces@ietf.org
Hi Tero, on 2006-06-15 11:09 Tero Kivinen said the following: > Henrik Levkowetz writes: >> > 1) That login manager really needs to require TLS protection, i.e >> > mandate that both the forms and the posts are always using TLS. >> >> Yes. But to do that, I need a proper cert for tools.ietf.org, which >> I don't have. I've been planning to talk with Ray about it for some >> time, but no time... I assume that this has to go through some >> entity that can verify that we have a right to get a cert for >> tools.ietf.org. I also wonder if we need separate certs for >> tools.ietf.org, www1.tools.ietf.org, www2.tools.ietf.org and >> www3.tools.ietf.org... > > As datatracker.ietf.org already has certificate, I assume someone > knows how to get one... Oh, I agree. That won't be the problem, I hope. > And yes, you probably need separate > certificates for each host if you want to run separate tasks on each > of them. If they are all identical i.e. referred always as > tools.ietf.org, then one certificate would be enough, but I guess > there will be some services that will be only on the > www1.tools.ietf.org and not on the others. Right. >> >> > 2) The URL for changing password should only work exactly once, not >> > for 24 hours. The problem with 24 hours is that if someone manages >> > to get the URL later from my mailbox or some other place he can >> > change my password after I changed it. If it works exactly once, >> > either I will get error that password has already been changed >> > using the URL (i.e. I know there was attacker who stole my URL) or >> > the attacker cannot change my password after I have successfully >> > changed it. Perhaps storing the used auth sha1sum to some directory >> > and checking that it cannot be there before continuing. >> >> I agree, and this is already on my todo list, but I wanted to get the >> base functionality out there first. This can be accomplished without >> changing what I have now, only putting in an additional check in the >> script which verifies the hash. > > I that can be quite easily added, by simply adding check after the > auth data checking saying (using /bin/sh syntax as example) > > if [ -f "$authfilesdir/$auth" ] > then > echo "Auth key already used" > exit 1 > else > # Auth key ok, mark it as used > touch "$authfilesdir/$auth" > fi Sure, straightforward. > > And then put cronscript that will remove all files from the > $authfilesdir/$auth that are older than one day. Certainly. >> Something else which you haven't mentioned but is also on my todo list >> is rate limiting on requesting the mail with a new password URL, so >> people can't anonymously annoy others with a stream of mails with >> new password URLs. > > If someone really starts sending thousands of those emails to some > user then he must use quite a lot of his own bandwidth to send those > requests, and after a while the tools.ietf.org machine will get > slow as sending out those emails takes cpu resources... The annoyance value of 50 emails from a source you don't want to block is considerable - it's not so much a bandwidth issue as an annoyance issue, and I'd rather prevent that. Your proposed fix below makes it possible to pursue the miscreant, but doesn't prevent the annoyance... > What you do want to do is to add the information who sent the request > i.e add things like: > > ---------------------------------------------------------------------- > This request was made from 62.61.72.13:57673 > Browser Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.7.12) Gecko/20051028 > ---------------------------------------------------------------------- > > to the end of the email that is sent to the user when password is > requested. That way user will at least know IP-address who is sending > those requests, and can himself continue pursuing the attacker instead > of asking you to check www-server logs... > > I.e. add > > echo "This request was made $ENV{'REMOTE_ADDR'}:$ENV{'REMOTE_PORT'}" > echo "Browser $ENV{'HTTP_USER_AGENT'}" > > to the end of email. Yes, I may add something like this, it may be useful even if I add rate limiting. Regards, Henrik
_______________________________________________ Tools-team mailing list Tools-team@ietf.org https://www1.ietf.org/mailman/listinfo/tools-team
- [Tools-team] Agenda for the 14 June 2006 Teleconf… Henrik Levkowetz
- [Tools-team] Agenda for the 14 June 2006 Teleconf… Tero Kivinen
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Henrik Levkowetz
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Tero Kivinen
- Re: [Tools-team] Agenda for the 14 June 2006 Tele… Henrik Levkowetz