 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
In article <3d2d31ea@news.povray.org>, tho### [at] trf de says...
> The site is the way it is for reasons I have made clear and which are
> perfectly logical. If you don't like the HTML of the site, fine, that is
> your opinion.
I still don't agree with you, but Ok, EOD.
Lutz-Peter
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 11 Jul 2002 00:26:15 +0200, "Thorsten Froehlich" <tho### [at] trfde>
wrote:
> > What is the sense of having password and typing it with ****** when it is not
> > coded within hidden field without any secure connection?
>
> So nobody can see on your screen what you typed. As the connection is never
> secure, transferring it once more over the network doesn't really make it
> less secure.
The difference is that when you type it and you post then it not appear on
your own hard disc (unless autocompletion for forms in IE is on). But when it
is in hidden field it stays in cache of pages. The one of typical users
mistakes is that they use the same password for different purposes. If they
could use this for povray.org it is possible they could use it for something
different. Why to leave doors for less experienced hackers? Of course that's
responsibility of user but otherway there is no sense to make KFKT<MJY765*%$7
as password if it is only for user info at povray.org.
Another question: is it necessary to create login page with my email
recognized with cookies? I have not seen checkbox like "insert email adress
automatically" and since my email is called "private" in registration page I
expect I want it put every time when I log. Especially when it is written
above login form that I have to type email. I you want to recognize me just do
it but don't fill forms automatically, please. If somebody want it then can
use feature in IE.
ABX
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
wrote:
> I hope I wasn't too detailed.
When national characters are inserted into user name during registration then
it is corectly stored as unicode codes and corectly viewed on country lists
(like for example stroked l in my name is coded as ł). But when they are
sended to form of Edit Login then they are destroyed becouse & in code is
converted into & which destroys meaning of whole code and results in
Włodzimierz which is usless in form.
ABX
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
wrote:
> I hope I wasn't too detailed.
"Mcdonald Islands" should be "McDonald Islands" probably :-)
ABX
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Skiba <abx### [at] babilonorg> wrote:
> The difference is that when you type it and you post then it not appear on
> your own hard disc (unless autocompletion for forms in IE is on). But when it
> is in hidden field it stays in cache of pages. The one of typical users
> mistakes is that they use the same password for different purposes. If they
> could use this for povray.org it is possible they could use it for something
> different. Why to leave doors for less experienced hackers? Of course that's
> responsibility of user but otherway there is no sense to make KFKT<MJY765*%$7
> as password if it is only for user info at povray.org.
I think you are really missing the point here. There are numerous services
out there that transmit plain password. The two most popular ones are:
* FTP, that is whenever you log into your web site to upload files, you
transmit that password in clear text!
* POP3 mailboxes, that is at least everybody who uses something else than
webmail or AOL, which ends up being a real lot of people!
I am sure you agree that both contain or may contain for more sensitive
data, yet it hardly is a problem. In fact, the work someone needs to invest
into getting your password just to change you public information or get your
private email address lets this be out of the question. It would simply not
be worth the effort and resources.
This is all different when providing your credit card data online, because
then there is money to be made from the information, but of course
povray.org doesn't ask for it, aned the IRTC CD order page is secure using
SSL as it should be.
> Another question: is it necessary to create login page with my email
> recognized with cookies?
Just turn off cookies or turn off that particular cookie.
> I have not seen checkbox like "insert email adress
> automatically" and since my email is called "private" in registration page I
> expect I want it put every time when I log. Especially when it is written
> above login form that I have to type email. I you want to recognize me just do
> it but don't fill forms automatically, please.
Actually, I spend a lot of time to make the secure. Only you with your
cookie will see the address. Nobody else can. So unless you don't want the
person looking over your shoulder to know your email address, I am afraid I
see no problem but only a convenience. Oh, and keep in mind that each time
you use that email addresses it will go through possibly dozens of servers
were someone can just log it.
> If somebody want it then can
> use feature in IE.
Not everybody uses IE!
In short, it is not more or less secure than the rest of the internet.
Adding SSL would just give people an impression of false security that never
existed in the first place.
Thorsten
____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Skiba <abx### [at] babilonorg> wrote:
> "Mcdonald Islands" should be "McDonald Islands" probably :-)
Yes, the list is based on the official ISO country code list, which
unfortunately only comes with all upper-case names. So they are turned into
mixed-case words automatically.
Thorsten
____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Skiba <abx### [at] babilonorg> wrote:
> When national characters are inserted into user name during registration then
> it is corectly stored as unicode codes and corectly viewed on country lists
> (like for example stroked l in my name is coded as ł). But when they are
> sended to form of Edit Login then they are destroyed becouse & in code is
> converted into & which destroys meaning of whole code and results in
> Włodzimierz which is usless in form.
Well, you are not supposed to use non-ASCII characters: There is absolutely
no guarantee it will work, just like with any other internet service out
there.
Thorsten
____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> * FTP, that is whenever you log into your web site to upload files, you
> transmit that password in clear text!
There are extensions to FTP to make it secure...but yes it is usually clear
text
>
> * POP3 mailboxes, that is at least everybody who uses something else than
> webmail or AOL, which ends up being a real lot of people!
That is about the dumbest statement I've heard all day. First of all most
corparations use IMAP and not POP. Secondly POP has MANY extensions for
secure passwords, and many clients/servers implement them so the average
person will not have a clear text password, and thirdly POP can be used with
SSL or TLS. The actual percentage of people who send clear text passwords
on a regular basis is very low.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
In article <3d2f252e@news.povray.org>, "Thorsten Froehlich"
<tho### [at] trfde> wrote:
> Well, you are not supposed to use non-ASCII characters: There is absolutely
> no guarantee it will work, just like with any other internet service out
> there.
Of course, this does not mean that I don't find it annoying as well, after
all, my last name has on umlaut-o in its native spelling. However, the
actual problem here is security plus support problems. The only way we
could solve it would be to request form input in UTF-8. I am not sure that
works everywhere. As far as HTML tags are concerned, as you noticed, that
is just stripped away, which is a pure security precaution as allowing HTML
layout could be used for all kinds of server abuse.
Thorsten
____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
In article <3d2f27d6$1@news.povray.org> , "Fox Neilson"
<ine### [at] myrealboxcom> wrote:
>> * POP3 mailboxes, that is at least everybody who uses something else than
>> webmail or AOL, which ends up being a real lot of people!
>
> That is about the dumbest statement I've heard all day.
Oh thank you for the compliment. I think it is only proper if I say the
same about your statement. Maybe get a clue before you say something.
Really helps, you know, I do actually know what I am talking about. Do you?
> First of all most corporations use IMAP and not POP.
I said nothing to contradict this, so no point in mentioning it.
> The actual percentage of people who send clear text passwords
> on a regular basis is very low.
If that is your opinion, fine, but that doesn't make it a fact...
Thorsten
____________________________________________________
Thorsten Froehlich
e-mail: mac### [at] povrayorg
I am a member of the POV-Ray Team.
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
