From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
	version=3.4.4
Received: (qmail 30653 invoked from network); 1 Apr 2022 00:43:51 -0000
Received: from 4ess.inri.net (216.126.196.42)
  by inbox.vuxu.org with ESMTPUTF8; 1 Apr 2022 00:43:51 -0000
Received: from wopr.sciops.net ([216.126.196.60]) by 4ess; Thu Mar 31 20:38:15 -0400 2022
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sciops.net; s=20210706;
	t=1648773491;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=bFZ6/QUQ9TrB/x+oEqCXUJReWOXk8cq+MeXsMjYKY5Y=;
	b=0WGYMlaoQfrtIGpD9tNMmIVUxTGMqiuDVxxw2RhsEkKQFVvLLL5DWKIqeQ5Nx2uycV5ITe
	ISut2hj/eXbjQjjk2RtpiNwip2+FkPj3FDtZugBtApQJfqMg0NuX9lhPemY4xKkQFe1TB4
	Fcjlt3FUpPlLvUtGdbUhbOXBf6SBwVo=
Received: from localhost (wopr.sciops.net [local])
	by wopr.sciops.net (OpenSMTPD) with ESMTPA id f07c7211
	for <9front@9front.org>;
	Thu, 31 Mar 2022 17:38:11 -0700 (PDT)
Date: Thu, 31 Mar 2022 17:38:11 -0700
From: Kurt H Maier <khm@sciops.net>
To: 9front@9front.org
Message-ID: <YkZJc0nF4a/X8gtS@wopr>
Mail-Followup-To: 9front@9front.org
References: <EC93BCF8DB4A22F2A1E6CF0D3FB0C16A@5ess.inri.net>
 <ttG_69SucNyNUvtb74BYfFu9f-uw1tTcIcIztINdKUHjLAPNjUh6DVyiOo1cceJjvnNTbDqt_9xCxcPNKG2tsOvdKRpagK5BYQZUI99wT7k=@protonmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ttG_69SucNyNUvtb74BYfFu9f-uw1tTcIcIztINdKUHjLAPNjUh6DVyiOo1cceJjvnNTbDqt_9xCxcPNKG2tsOvdKRpagK5BYQZUI99wT7k=@protonmail.com>
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: ISO-certified ISO-certified deep-learning-based JSON singleton scripting generator 
Subject: Re: [9front] 4chan hacked rc-httpd
Reply-To: 9front@9front.org
Precedence: bulk

On Thu, Mar 31, 2022 at 11:54:22PM +0000, Avalon Williams wrote:
> Another note to have with this is just to have better data security, in a modified version of werc I'm using I added a number of security features (though they were all designed to run on plan9port rather than on 9front itself and I never bothered porting them or contributing them because they relied on some Linux-specific commands), including a salted password hash storage system (I used sha-256 but was planning on moving it to use argos2 via a go utility).
> 
> Leaks are always going to happen, its better to make the data harder to access after the fact as well as trying to prevent them in the first place.

You're doing the right thing, but I'd personally prefer to see werc not
have an in-house user system at all; there are better protocols to allow
folks access to the underlying directories werc serves.  Putting all
your content in a shared 9p-served filesystem, or even some kind of
dvcs, removes a huge attack surface from webshit.  

Even if you do need interactivity over http, werc can happily
operate by receiving a USER header from whatever is calling its CGI.
Short of that it really should be using hashed passwords etc, but we've
never really had enough use of the werc-auth stuff to motivate
development.

khm