Re: [9front] 4chan hacked rc-httpd

9front - general discussion about 9front
 help / color / mirror / Atom feed

From: Kurt H Maier <khm@sciops.net>
To: 9front@9front.org
Subject: Re: [9front] 4chan hacked rc-httpd
Date: Thu, 31 Mar 2022 17:38:11 -0700	[thread overview]
Message-ID: <YkZJc0nF4a/X8gtS@wopr> (raw)
In-Reply-To: <ttG_69SucNyNUvtb74BYfFu9f-uw1tTcIcIztINdKUHjLAPNjUh6DVyiOo1cceJjvnNTbDqt_9xCxcPNKG2tsOvdKRpagK5BYQZUI99wT7k=@protonmail.com>

On Thu, Mar 31, 2022 at 11:54:22PM +0000, Avalon Williams wrote:
> Another note to have with this is just to have better data security, in a modified version of werc I'm using I added a number of security features (though they were all designed to run on plan9port rather than on 9front itself and I never bothered porting them or contributing them because they relied on some Linux-specific commands), including a salted password hash storage system (I used sha-256 but was planning on moving it to use argos2 via a go utility).
> 
> Leaks are always going to happen, its better to make the data harder to access after the fact as well as trying to prevent them in the first place.

You're doing the right thing, but I'd personally prefer to see werc not
have an in-house user system at all; there are better protocols to allow
folks access to the underlying directories werc serves.  Putting all
your content in a shared 9p-served filesystem, or even some kind of
dvcs, removes a huge attack surface from webshit.  

Even if you do need interactivity over http, werc can happily
operate by receiving a USER header from whatever is calling its CGI.
Short of that it really should be using hashed passwords etc, but we've
never really had enough use of the werc-auth stuff to motivate
development.

khm

     prev parent reply	other threads:[~2022-04-01  0:43 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-31 18:10 sl
2022-03-31 19:35 ` sirjofri
2022-03-31 20:17   ` Kurt H Maier
2022-03-31 20:26     ` Stanley Lieber
2022-04-03  3:26       ` sl
2022-04-03 18:05         ` adr
2022-03-31 20:29   ` ori
2022-03-31 23:54 ` Avalon Williams
2022-04-01  0:38   ` Kurt H Maier [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YkZJc0nF4a/X8gtS@wopr \
    --to=khm@sciops.net \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).