search

williamleonard / obblm

Automatically exported from code.google.com/p/obblm
1 stars 0 forks source link

leegmgr: password encryption for auto-upload #211

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Encryption of the site authentication would allow me to provide a safe a 
secure method for BOTOCS to send a username and password along with the 
match report zip after a match is complete.

I am thinking of doing key pairs on a per user basis by adding a column 
for public_key and a column for private_key.

A URL could be provided to request the public_key for a user.  BOTOCS uses 
it to encrypt the password.

The upload script then grabs the private key to decrypt it and allows the 
upload to process.

Also would you be interested in something similar for normal site 
authentication?  If so I can write it in the misc_functions.

FYI:
http://us2.php.net/openssl

Original issue reported on code.google.com by funnyfin...@hotmail.com on 25 Aug 2009 at 11:44

GoogleCodeExporter commented 9 years ago 
This could easily be just a single public/private key for the entire site, with 
the 
private key outside of the www root...

Let me know what you think.

Original comment by funnyfin...@hotmail.com on 25 Aug 2009 at 12:11

GoogleCodeExporter commented 9 years ago 
I'm against it. It's overkill for obblm. If you can manage to do it within the 
module
your welcome.

Original comment by Nimda...@gmail.com on 25 Aug 2009 at 6:35

GoogleCodeExporter commented 9 years ago 
I hardly think this little bit of protection would be overkill.  If you are in 
a 
college dorm, it is extremely easy to sniff the packets and with Wi-Fi it is 
very 
easy as well.

But I will write it as part of the module once that table handler is complete.

I think I will just go with a single site public and private key.

Original comment by funnyfin...@hotmail.com on 25 Aug 2009 at 9:55

GoogleCodeExporter commented 9 years ago 
No, that's right, but you need to set it into perspective. 
OBBLM does in no way require such security. It's not sensitive information we 
deal
with - in the ordinary sense anyway. Also, OBBLM sites are not (yet) high 
profile
sites and therefore the lack of SSL poses no risk (as it may for a site like 
fumbbl).
I just don't feel like adding, sorry, unnecessary fluff to obblm - I won't deny 
the
day may come when it would be appropriate, but we are not there yet.

Original comment by Nimda...@gmail.com on 25 Aug 2009 at 10:53

GoogleCodeExporter commented 9 years ago 
Well thinking about this a little more, my method is bad anyway.  Using a non 
expiring key would still let someone capture it post their own form to 
authenticate 
and such.

What do you think about BOTOCS asking for the username and password and then 
sending 
the password as the MD5 hash to my script which would then compare it directly 
to 
the hashed password in the DB?

Original comment by funnyfin...@hotmail.com on 26 Aug 2009 at 5:54

GoogleCodeExporter commented 9 years ago 
I think that sounds fair. In that case it would be appropriate :-).

Original comment by Nimda...@gmail.com on 26 Aug 2009 at 5:57

GoogleCodeExporter commented 9 years ago 
BTW - related to automation, BOTOCS will allow users to select their OBBLM 
teams 
directly from BOTOCS.

Original comment by funnyfin...@hotmail.com on 26 Aug 2009 at 6:14

GoogleCodeExporter commented 9 years ago 
Really? Wow, nice.

Original comment by Nimda...@gmail.com on 26 Aug 2009 at 6:23

GoogleCodeExporter commented 9 years ago

Original comment by funnyfin...@hotmail.com on 16 Sep 2009 at 8:41

GoogleCodeExporter commented 9 years ago

Original comment by funnyfin...@hotmail.com on 16 Sep 2009 at 8:43

GoogleCodeExporter commented 9 years ago

Original comment by Nimda...@gmail.com on 9 Oct 2009 at 8:20

GoogleCodeExporter commented 9 years ago 
Closing for now.

Original comment by funnyfin...@hotmail.com on 7 Dec 2009 at 9:02