Re:[jasig-webpresence] [jasig-infrastructure] http: login to Jasig drupal?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Re:[jasig-webpresence] [jasig-infrastructure] http: login to Jasig drupal?

Eric Dalquist
This would be a question for the Jasig Web Presence group and more
specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we
have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads
point to that login in no way allows someone to upload to
downloads.jasig.org. You have to have ssh access to the contegix hosted
machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:

> Infrastructure@,
>
> Currently, I believe the only option for login to www.jasig.org's
> Drupal instance is via http://
>
> http://www.jasig.org/user/login
>
> Posting passwords over HTTP is a worst practice and theoretically,
> sooner or later it will result in an account compromise.
>
> Some of the content on jasig.org *is* worth protecting, e.g. CAS
> server software downloads.  It would be annoying and embarrassing, at
> best, for an adversary to introduce a password logging listener into
> the CAS release, e.g.
>
>
> Mostly this concern is more about good form than it is about a real
> worry.
>
> That said, how to go about achieving use of https:// for login to
> www.jasig.org, and preferably https:// for all authenticated sessions?
>
> Andrew
>
>


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

https for login and authenticated sessions on jasig.org Drupal

Andrew Petro
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:

> This would be a question for the Jasig Web Presence group and more
> specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so
> we have the ability to encrypt that traffic if WCW can get it setup.
>
> One note is that an attacker could easily change the URL the downloads
> point to that login in no way allows someone to upload to
> downloads.jasig.org. You have to have ssh access to the contegix
> hosted machine for that ability.
>
> -Eric
>
> On 06/10/2011 02:54 PM, Andrew Petro wrote:
>> Infrastructure@,
>>
>> Currently, I believe the only option for login to www.jasig.org's
>> Drupal instance is via http://
>>
>> http://www.jasig.org/user/login
>>
>> Posting passwords over HTTP is a worst practice and theoretically,
>> sooner or later it will result in an account compromise.
>>
>> Some of the content on jasig.org *is* worth protecting, e.g. CAS
>> server software downloads.  It would be annoying and embarrassing, at
>> best, for an adversary to introduce a password logging listener into
>> the CAS release, e.g.
>>
>>
>> Mostly this concern is more about good form than it is about a real
>> worry.
>>
>> That said, how to go about achieving use of https:// for login to
>> www.jasig.org, and preferably https:// for all authenticated sessions?
>>
>> Andrew
>>
>>
>


--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence
Reply | Threaded
Open this post in threaded view
|

Re:[jasig-webpresence] https for login and authenticated sessions on jasig.org Drupal

Chuck Crandall
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck
Chuck Crandall
WebChuck Web
(801) 939-3246
On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew





-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence
Reply | Threaded
Open this post in threaded view
|

Re: https for login and authenticated sessions on jasig.org Drupal

Eric Dalquist
Chuck, if you can provide me with a secure way to transfer the cert files to you I can get them sent over at any time. If you don't have that ability I can look into getting a secure transfer setup.

-Eric

On 6/13/11 4:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck
Chuck Crandall
WebChuck Web
(801) 939-3246
On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via <a class="moz-txt-link-freetext" href="http://">http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew





-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re:[jasig-webpresence] https for login and authenticated sessions on jasig.org Drupal

Andrew Petro
In reply to this post by Chuck Crandall
Ok.  So, the first step is to get to a dedicated IP address.  That didn't sound like something requiring Jasig involvement.  WebChuckWeb will go ahead and orchestrate that change, and then ping Jasig to hand over the SSL certificate?

Andrew


On 6/13/2011 3:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck
Chuck Crandall
WebChuck Web
(801) 939-3246
On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via <a class="moz-txt-link-freetext" href="http://">http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew






-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence
Reply | Threaded
Open this post in threaded view
|

Re:[jasig-webpresence] https for login and authenticated sessions on jasig.org Drupal

Chuck Crandall
Andrew,

Actually, I will need to coordinate with a Jasig team member to update the DNS records to reflect the IP change.  We currently have an A record pointing to the current IP, and that will need to be updated to the new IP address.  Eric Dalquist has already contacted me about setting up the SSL, so I will work with him on the DNS change also.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
(801) 939-3246
On Tue, Jun 14, 2011 at 7:06 AM, Andrew Petro <[hidden email]> wrote:
Ok.  So, the first step is to get to a dedicated IP address.  That didn't sound like something requiring Jasig involvement.  WebChuckWeb will go ahead and orchestrate that change, and then ping Jasig to hand over the SSL certificate?

Andrew



On 6/13/2011 3:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck
On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew







-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence
Reply | Threaded
Open this post in threaded view
|

Re: https for login and authenticated sessions on jasig.org Drupal

Eric Dalquist
In reply to this post by Eric Dalquist
So when you make the switch will requests to the old IP no longer work? If so I think we should wait until the end of the week and make the switch Friday evening to reduce the impact.

-Eric

On 10/03/2011 10:55 AM, Chuck Crandall wrote:
Eric,

Thanks, you can delete the link now.  The new IP will be:

67.225.251.181

Can we switch it today before 7pm ET?  I assume there will be some down-time while the DNS update propagates, but if we can set the TTL low we can reduce that time.

Thanks,
Chuck 

Chuck Crandall
WebChuck Web
(801) 939-3246
On Fri, Sep 30, 2011 at 1:07 PM, Eric Dalquist <[hidden email]> wrote:
I got poked by someone to follow up on this. I've posted the *.jasig.org certificate here: https://mywebspace.wisc.edu/xythoswfs/webui/_xy-43588832_1-t_EKpe26oV

The password is: jasig

Please let me know when you've download the certificate so I can delete the link, this is a pretty important cert since it would let an attacker impersonate pretty much everything Jasig does :)

As for the DNS change, just let me know the new IP and when to make the switch and I can.

-Eric


On 06/14/2011 10:34 AM, Chuck Crandall wrote:
Or even more obscure, create a page on the dev site at http://jasig.webchuckhosting.com/user, which you can log into with the same credentials as the live site.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
<a moz-do-not-send="true" href="tel:%28801%29%20939-3246" value="+18019393246" target="_blank">(801) 939-3246
On Tue, Jun 14, 2011 at 9:31 AM, Chuck Crandall <[hidden email]> wrote:
Eric,

I believe in security by obscurity.  Do you have any place you can post the cert file that won't be seen?  If you have jasig.org admin rights you could post a ZIP file there attached to an unpublished node, send me the path, and I can delete it once I download it.

Also, we need to change the IP address in the DNS for jasig.org.  Can you help me with that?  Once I update the server it will take the site off-line until the DNS is updated and propagates, so we'll need to do it at a low-traffic time.

Thanks,
Chuck

On Mon, Jun 13, 2011 at 4:15 PM, Eric Dalquist <[hidden email]> wrote:
Chuck, if you can provide me with a secure way to transfer the cert files to you I can get them sent over at any time. If you don't have that ability I can look into getting a secure transfer setup.

-Eric


On 6/13/11 4:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck

On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew





-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence




smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: https for login and authenticated sessions on jasig.org Drupal

Eric Dalquist
Yeah unfortunately NetworkSolutions being the awesome company that they are sets 1 hour (3600) as the lowest possible TTL that can be set on domains. I've done that for the three A records that point to WCW but an hour is still a long time to have our main web presence unavailable, especially since a few releases were announced this morning.

Lets plan on 6pm ET on Thursday for doing the switch.

-Eric

On 10/03/2011 12:19 PM, Chuck Crandall wrote:
Eric,

Yes, once the switch is made the old IP will no longer work, as we can only assign one IP to a site.  However, if we temporarily update the TTL to 1 minute a few hours before we make the switch, I believe we would have little to no downtime.  And the TTL is currently set to 2 hours, so the added load to the DNS servers would only have to be for a few hours.

Also, I am not available on Friday evenings for troubleshooting, so we will need to make this update during the week.  I am available any time this week between 10am and 7pm ET Monday - Thursday.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
(801) 939-3246
On Mon, Oct 3, 2011 at 10:47 AM, Eric Dalquist <[hidden email]> wrote:
So when you make the switch will requests to the old IP no longer work? If so I think we should wait until the end of the week and make the switch Friday evening to reduce the impact.

-Eric


On 10/03/2011 10:55 AM, Chuck Crandall wrote:
Eric,

Thanks, you can delete the link now.  The new IP will be:

67.225.251.181

Can we switch it today before 7pm ET?  I assume there will be some down-time while the DNS update propagates, but if we can set the TTL low we can reduce that time.

Thanks,
Chuck 

On Fri, Sep 30, 2011 at 1:07 PM, Eric Dalquist <[hidden email]> wrote:
I got poked by someone to follow up on this. I've posted the *.jasig.org certificate here: https://mywebspace.wisc.edu/xythoswfs/webui/_xy-43588832_1-t_EKpe26oV

The password is: jasig

Please let me know when you've download the certificate so I can delete the link, this is a pretty important cert since it would let an attacker impersonate pretty much everything Jasig does :)

As for the DNS change, just let me know the new IP and when to make the switch and I can.

-Eric


On 06/14/2011 10:34 AM, Chuck Crandall wrote:
Or even more obscure, create a page on the dev site at http://jasig.webchuckhosting.com/user, which you can log into with the same credentials as the live site.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
<a moz-do-not-send="true" href="tel:%28801%29%20939-3246" value="+18019393246" target="_blank">(801) 939-3246
On Tue, Jun 14, 2011 at 9:31 AM, Chuck Crandall <[hidden email]> wrote:
Eric,

I believe in security by obscurity.  Do you have any place you can post the cert file that won't be seen?  If you have jasig.org admin rights you could post a ZIP file there attached to an unpublished node, send me the path, and I can delete it once I download it.

Also, we need to change the IP address in the DNS for jasig.org.  Can you help me with that?  Once I update the server it will take the site off-line until the DNS is updated and propagates, so we'll need to do it at a low-traffic time.

Thanks,
Chuck

On Mon, Jun 13, 2011 at 4:15 PM, Eric Dalquist <[hidden email]> wrote:
Chuck, if you can provide me with a secure way to transfer the cert files to you I can get them sent over at any time. If you don't have that ability I can look into getting a secure transfer setup.

-Eric


On 6/13/11 4:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck

On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew





-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence





smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: https for login and authenticated sessions on jasig.org Drupal

Eric Dalquist
Sounds good.

For the Web Presence folks. It sounds like people will have an hour or two of time where www.jasig.org may be inaccessible for them starting at 5pm ET on Thursday the 6th. Not sure if you're interested in doing any sort of notification.

-Eric

On 10/03/2011 12:32 PM, Chuck Crandall wrote:
Eric,

Bummer, I didn't realize we were dealing with Network Solutions limitations.  I'll plan on Thursday, 6pm ET, and email you before I make the switch.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
(801) 939-3246
On Mon, Oct 3, 2011 at 11:29 AM, Eric Dalquist <[hidden email]> wrote:
Yeah unfortunately NetworkSolutions being the awesome company that they are sets 1 hour (3600) as the lowest possible TTL that can be set on domains. I've done that for the three A records that point to WCW but an hour is still a long time to have our main web presence unavailable, especially since a few releases were announced this morning.

Lets plan on 6pm ET on Thursday for doing the switch.

-Eric


On 10/03/2011 12:19 PM, Chuck Crandall wrote:
Eric,

Yes, once the switch is made the old IP will no longer work, as we can only assign one IP to a site.  However, if we temporarily update the TTL to 1 minute a few hours before we make the switch, I believe we would have little to no downtime.  And the TTL is currently set to 2 hours, so the added load to the DNS servers would only have to be for a few hours.

Also, I am not available on Friday evenings for troubleshooting, so we will need to make this update during the week.  I am available any time this week between 10am and 7pm ET Monday - Thursday.

Thanks,
Chuck

On Mon, Oct 3, 2011 at 10:47 AM, Eric Dalquist <[hidden email]> wrote:
So when you make the switch will requests to the old IP no longer work? If so I think we should wait until the end of the week and make the switch Friday evening to reduce the impact.

-Eric


On 10/03/2011 10:55 AM, Chuck Crandall wrote:
Eric,

Thanks, you can delete the link now.  The new IP will be:

67.225.251.181

Can we switch it today before 7pm ET?  I assume there will be some down-time while the DNS update propagates, but if we can set the TTL low we can reduce that time.

Thanks,
Chuck 

On Fri, Sep 30, 2011 at 1:07 PM, Eric Dalquist <[hidden email]> wrote:
I got poked by someone to follow up on this. I've posted the *.jasig.org certificate here: https://mywebspace.wisc.edu/xythoswfs/webui/_xy-43588832_1-t_EKpe26oV

The password is: jasig

Please let me know when you've download the certificate so I can delete the link, this is a pretty important cert since it would let an attacker impersonate pretty much everything Jasig does :)

As for the DNS change, just let me know the new IP and when to make the switch and I can.

-Eric


On 06/14/2011 10:34 AM, Chuck Crandall wrote:
Or even more obscure, create a page on the dev site at http://jasig.webchuckhosting.com/user, which you can log into with the same credentials as the live site.

Thanks,
Chuck

Chuck Crandall
WebChuck Web
<a moz-do-not-send="true" href="tel:%28801%29%20939-3246" value="+18019393246" target="_blank">(801) 939-3246
On Tue, Jun 14, 2011 at 9:31 AM, Chuck Crandall <[hidden email]> wrote:
Eric,

I believe in security by obscurity.  Do you have any place you can post the cert file that won't be seen?  If you have jasig.org admin rights you could post a ZIP file there attached to an unpublished node, send me the path, and I can delete it once I download it.

Also, we need to change the IP address in the DNS for jasig.org.  Can you help me with that?  Once I update the server it will take the site off-line until the DNS is updated and propagates, so we'll need to do it at a low-traffic time.

Thanks,
Chuck

On Mon, Jun 13, 2011 at 4:15 PM, Eric Dalquist <[hidden email]> wrote:
Chuck, if you can provide me with a secure way to transfer the cert files to you I can get them sent over at any time. If you don't have that ability I can look into getting a secure transfer setup.

-Eric


On 6/13/11 4:46 PM, Chuck Crandall wrote:
Andrew,

That is definitely something we could set up.  We currently have jasig.org on a shared IP address, so we'll first need to change that to a dedicated IP to work with SSL.  After that we'd just need to work with someone with the SSL certificate access to set up https:// on the site.

Thanks,
Chuck

On Fri, Jun 10, 2011 at 2:06 PM, Andrew Petro <[hidden email]> wrote:
Web Chuck Web,

How about this? https:// for login and for logged in sessions?

Andrew


On 06/10/2011 04:00 PM, Eric Dalquist wrote:
This would be a question for the Jasig Web Presence group and more specifically WebChuckWeb. We do have a *.jasig.org ssl certificate so we have the ability to encrypt that traffic if WCW can get it setup.

One note is that an attacker could easily change the URL the downloads point to that login in no way allows someone to upload to downloads.jasig.org. You have to have ssh access to the contegix hosted machine for that ability.

-Eric

On 06/10/2011 02:54 PM, Andrew Petro wrote:
Infrastructure@,

Currently, I believe the only option for login to www.jasig.org's Drupal instance is via http://

http://www.jasig.org/user/login

Posting passwords over HTTP is a worst practice and theoretically, sooner or later it will result in an account compromise.

Some of the content on jasig.org *is* worth protecting, e.g. CAS server software downloads.  It would be annoying and embarrassing, at best, for an adversary to introduce a password logging listener into the CAS release, e.g.


Mostly this concern is more about good form than it is about a real worry.

That said, how to go about achieving use of https:// for login to www.jasig.org, and preferably https:// for all authenticated sessions?

Andrew





-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/jasig-webpresence






smime.p7s (9K) Download Attachment