Antville Project

Tuesday, 14. January 2003

securing our passwords

I just stumbled over the outcome of the story Login/Logout - its not a bug its a feature and I'm not very pleased with the implemented 'solution' (others aren't, too; see help.antville). Of course, it is better than nothing, because someone who takes the time to check the URL of the login form now can be sure that it hasn't been tampered with. But this is more or less insider information, and insiders don't normally log in at untrusted blogs anyway. Here's an excerpt of the comment I posted under this story a couple of weeks ago:

IMO that approach isn't any good. it's nice of nosleep to document the issue and of you to try to prevent abuse, but you simply can't prevent a weblog creator who's allowed to integrate HTML without restrictions from fooling his visitors. restricting features will definitely annoy blog owners who lose control over their creations, but it won't help protecting innocent visitors, because a workaround that will still fool many of them can always be implemented.
The idea of making the login process "a little more secure" is futileā€”it either is secure or it's not. To prove my point, I just added a customised login form to my blog. As I already said, this approach would only work if several more restrictions would be implemented, some of which would be ridiculously nasty.

I'd suggest, if we really want to prevent that users' passwords are stolen, we should all make our login links point to the safe login, and there we should put up a message warning users of logging in anywhere else. This is how most sites with similar issues (e.g. go.icq.com) handle this. Educating the users, warning them of the dangers and presenting them with a safe workaround really is the only way to prevent them from doing stupid things.

Another possibility would be to restrict the customisation of skins so much that it's basicly not possible to write custom HTML any longer, which would make all blogs look somewhat the same and throw the whole Antville philosophy over board, so I'd say we shouldn't go for that.

I would be okay with having every user log in at www.antville.org, but as long as they're supposed to have the option of logging in at my blog, I want to customise that form so it fits in with the rest. So please lift that restriction, it doesn't do any good anyway.

link (no comments) 
 

The Antville Server Fund has been a great success. Thanks to everybody who contributed!
online for 8549 Days
last updated: 1/4/11, 10:22 AM
status
Youre not logged in ... Login
menu
January 2003
SunMonTueWedThuFriSat
1234
567891011
12131415161718
19202122232425
262728293031
DecemberFebruary
recent
zfuture's house here is zfuture's
house
by zfuture (7/31/03, 2:59 AM)
i understand your concerns however,
i hardly can think of a solution. certainly, if the...
by tobi (7/29/03, 9:47 AM)
Found several more similar sites
listed This is getting to be quite a concern to...
by cobalt123 (7/27/03, 7:56 PM)
Second Post Alert on Referrer
bug livecatz I put this into "help" and now here:...
by cobalt123 (7/26/03, 7:14 PM)
well it's not easy to
find from here, anyway. think we should include a link,...
by tobi (7/24/03, 11:25 AM)
So finally I found
the helma Bugzilla - stupid me.
by mdornseif (7/24/03, 10:28 AM)
clock not that it's particularly
earthshattering but the antclock is running slow by about 15...
by kohlehydrat (7/23/03, 8:25 PM)
but blogosphere.us isn't can't really
be rated as spam can it?
by kohlehydrat (7/23/03, 8:08 PM)
More referrer spam www.webfrost.com
by Irene (7/23/03, 7:55 PM)
How to log skin names
I accessed to console?? Hi, I would like to know...
by winson (7/23/03, 4:12 PM)

Click here to get an XML version of this weblog.

Made with Antville
powered by
Helma Object Publisher