Frackin script kiddies!!
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org
Tue Aug 3 00:27:31 EDT 2010
On Mon, Aug 2, 2010 at 11:55 PM, Richard Pieri <richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Aug 2, 2010, at 11:06 PM, Jarod Wilson wrote:
>>
>> Well, personally, I think a sane mythweb package puts a config file
>> into apache's config includes directory, not in a .htaccess file. And
>> then you enable authentication and wrap it with ssl. I'm not paranoid
>> enough to worry about requiring a vpn link or ssh tunnels, I've got
>> https access from anywhere.
>
> So does every potential attacker in the world.
Sure.
> Wrapping HTTP in SSL offers no protection to your server. None. Zilch. Nada. It protects the end to end traffic. An attacker still has access to your authentication mechanism and can just as easily launch a brute force or exploit attack against it as he could if the traffic were clear instead of encrypted.
They can launch the same brute force attack and/or go for exploits
against ssh. Or an ipsec vpn. Or anything public-facing. But
seriously, who is going to expend the effort brute-force attacking my
mythtv box to delete some recordings?
--
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org
More information about the Discuss
mailing list