Repository (In)Security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Repository (In)Security

Sean P. DeNigris
Administrator
We were sitting here looking at some unencrypted network traffic and it hit me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a tremendous security hole. Someone could grab the credentials of a more prominent member of the community who has admin rights to many repos and start uploading arbitrary Zip files with who-knows-what embedded.

SSL certificates are so cheap today. Will ESUG purchase them for our community servers?

I personally have deleted all my private repos, and moved them to BitBucket, which I can access via SSH, but it doesn't solve the problem because of course any open source St project I load will open the flood gates!
Cheers,
Sean
Reply | Threaded
Open this post in threaded view
|

Re: Repository (In)Security

Damien Cassou-2

Hi Sean,

Sean P. DeNigris <[hidden email]> writes:

> We were sitting here looking at some unencrypted network traffic and it hit
> me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a
> tremendous security hole. Someone could grab the credentials of a more
> prominent member of the community who has admin rights to many repos and
> start uploading arbitrary Zip files with who-knows-what embedded.
>
> SSL certificates are so cheap today. Will ESUG purchase them for our
> community servers?
>
> I personally have deleted all my private repos, and moved them to BitBucket,
> which I can access via SSH, but it doesn't solve the problem because of
> course any open source St project I load will open the flood gates!

thank you for raising the issue.

The ESUG board can pay such a certificate. Nonetheless, the problem is
not paying but installing the certificate and maintaining the server. We
already have too little time to dedicate to server maintenance.

We are looking for volunteers.

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Esug-list mailing list
[hidden email]
http://lists.esug.org/mailman/listinfo/esug-list_lists.esug.org
Reply | Threaded
Open this post in threaded view
|

Re: Repository (In)Security

Steven R. Baker
I'll volunteer if someone cab give me an overview of how things are set up. I enjoy a little bit of server maintenance from time to time.

On 26 August 2015 09:28:42 CEST, Damien Cassou <[hidden email]> wrote:

Hi Sean,

Sean P. DeNigris <[hidden email]> writes:

We were sitting here looking at some unencrypted network traffic and it hit
me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a
tremendous security hole. Someone could grab the credentials of a more
prominent member of the community who has admin rights to many repos and
start uploading arbitrary Zip files with who-knows-what embedded.

SSL certificates are so cheap today. Will ESUG purchase them for our
community servers?

I personally have deleted all my private repos, and moved them to BitBucket,
which I can access via SSH, but it doesn't solve the problem because of
course any open source St project I load will open the flood gates!

thank you for raising the issue.

The ESUG board can pay such a certificate. Nonetheless, the problem is
not paying but installing the certificate and maintaining the server. We
already have too little time to dedicate to server maintenance.

We are looking for volunteers.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Esug-list mailing list
[hidden email]
http://lists.esug.org/mailman/listinfo/esug-list_lists.esug.org
Reply | Threaded
Open this post in threaded view
|

Re: Repository (In)Security

Damien Cassou-2

Steven R. Baker <[hidden email]> writes:

> I'll volunteer if someone cab give me an overview of how things are
> set up. I enjoy a little bit of server maintenance from time to time.

those interested should contact "Marcus Denker" <[hidden email]>
to build a maintainer team.

--
Damien Cassou
http://damiencassou.seasidehosting.st

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Esug-list mailing list
[hidden email]
http://lists.esug.org/mailman/listinfo/esug-list_lists.esug.org
Reply | Threaded
Open this post in threaded view
|

Re: Repository (In)Security

Sean P. DeNigris
Administrator
Damien Cassou-2 wrote
those interested should contact "Marcus Denker" to build a maintainer team.
I will help, too. I will contact Marcus…
Cheers,
Sean