[sr-dev] Wiki site registration updates - OFF-TOPIC

Daniel-Constantin Mierla miconda at gmail.com
Mon Apr 1 22:06:49 CEST 2013


Hello,

On 4/1/13 9:57 PM, Marius Zbihlei wrote:
> Hello,
>
> Comments inline
>
>
> On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla 
> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
>
>     On 4/1/13 9:13 PM, Marius Zbihlei wrote:
>>     Some ideas about improving the security of the site:
>>
>>     1. Drop http connections for authentication pages
>     Not sure how much it will help, as the bots were able to create
>     accounts by solving the captcha. HTTPS is no longer something hard
>     to get in any application. So far so good with the new system, no
>     spammer got that familiar with Kamailio modules :-), but there
>     were few new valid accounts.
>
>
> Well,
>
> I would be very nice  for the https://www.kamailio.org to work (at the 
> moment it returns an 200 OK with an empty HTML Page). Also, I consider 
> bad security practice to allow traffic that is uncrypted for login 
> forms, but I agree it has small benefits.

You can access the login forms via https and it is recommended to use 
https for logging it, as mentioned on the front page of dokuwiki -- I 
just said that the https vs http does not bring benefits against spammers.


>>     2. Fix the kamailio.org <http://kamailio.org> certificate. At the
>>     moment the identity of the domain can't be established as there
>>     is no issuer chain provided with it.
>>
>>     From Firefox information page:
>
>     You actually need to fix Firefox -- I struggled yesterday a bit
>     with same situation. The certificate is actually new, generated
>     yesterday and signed by CACert.org. The previous one was
>     selfsigned, from openser times, expired for few years.
>
>     I had to try other browsers to check if works, because Firefox was
>     displaying some error. Then I went back to stable channel from
>     beta channel without any success, even removing the old
>     certificate from firefox preference. To solve it, I cleared the cache.
>
>
> I have tried with both Chrome and Firefox, both normal and Incognito 
> mode. Same error. I believe the problem is with the server.

It is working fine for me over https, tried both firefox and chrome. I 
replaced the certificate because the previous one was expired and 
mentioning openser. CACert is not a default trusted authority anyhow, I 
choose that instead of another self signed certificate because CACert 
has some popularity out there in the open source space.

So, you don't really get to the content via https? Or is just that the 
browser does not trust it?

Cheers,
Daniel

>
> The server provides the correct certificate (I've downloaded it), but 
> it must provide also an intermediate certificate signed with CaCert 
> RootCA. The client only has the Root CA, so for authentication of the 
> cert the intermediate one is needed.
>
> I guess https://www.globalsign.com/support/install/install_apache.php 
> provides a solution ( Note that the root CA might not make sense)
>
>   * Your virtual host section will need to contain the following
>     directives:
>   * |*SSLCACertificateFile*| – This will need to point to the
>     appropriate GlobalSign root CA certificate.
>   * |*SSLCertificateChainFile*| – This will need to point to the
>     appropriate intermediate root CA certificates you previously
>     created in Step 1 above.
>   * |*SSLCertificateFile*| – This will need to point to the end entity
>     certificate (the one you have called "mydomain.crt")
>   * |*SSLCertificateKeyFile*| – This will need to point to the private
>     key file associated with your certificate.
>
>
>
>     Let me know if works for you in the same way.
>
>     Cheers,
>     Daniel
>
>
>>     "
>>     kamailio.org <http://kamailio.org> uses an invalid security
>>     certificate.
>>
>>     The certificate is not trusted because no issuer chain was provided.
>>
>>     (Error code: sec_error_unknown_issuer)
>>     "
>>
>>     Marius
>>
>>
>>     On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists <4lists at gmail.com
>>     <mailto:4lists at gmail.com>> wrote:
>>
>>         Just as a side note, I've seem anti-spambots 'captcha
>>         systems' (just see, not implemented, nor know about a library
>>         that implement it) that use a dual factor approach: one that
>>         you see and one that you know.
>>
>>         Indeed very simple: show an image and ask something about it.
>>         Questions can be: type just the letters, type just the
>>         numbers, type numbers and letters in pre-defined order
>>         (left-to-right,up-down,etc), number of colors, of groups,
>>         color on the booton right, etc... The combination are limited
>>         on the imagination. And the best: it increment in exponential
>>         the way bots have to work.
>>
>>         Does anybody knows a library/system that implement such
>>         approach not all of them, but at least part of it?
>>
>>         Edson.
>>
>>         Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
>>
>>             Hello,
>>
>>             as of yesterday, creation of new accounts for Kamailio's
>>             wiki site
>>             requires to answer a project related question. Captcha
>>             was useless as
>>             spam bots were lately going through it easily, creating
>>             accounts in a
>>             rate of approx 50 new registrations per day.
>>
>>             The extra question is asked just after CAPTCHA, see it at:
>>             - https://www.kamailio.org/wiki/start?do=register
>>
>>             Hopefully the questions are simple enough to allow good
>>             people to
>>             register and difficult enough for spambots to give up. It
>>             is not a very
>>             sophisticated system, let's see if there will be any
>>             efforts in reverse
>>             engineering to break in with bots. So far no new spammer
>>             account. If
>>             they will succeed, at least they learn something useful.
>>
>>             If anyone has difficulties creating wiki accounts, write
>>             an email to
>>             sr-dev mailing list and it will be investigated.
>>
>>             Cheers,
>>             Daniel
>>
>>             PS. This registration system will last, is not for April 1.
>>
>>
>>         _______________________________________________
>>         sr-dev mailing list
>>         sr-dev at lists.sip-router.org <mailto:sr-dev at lists.sip-router.org>
>>         http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>>
>>
>
>     -- 
>     Daniel-Constantin Mierla -http://www.asipto.com
>     http://twitter.com/#!/miconda  <http://twitter.com/#%21/miconda>  -http://www.linkedin.com/in/miconda
>     Kamailio World Conference, April 16-17, 2013, Berlin
>       -http://conference.kamailio.com  -
>
>

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, April 16-17, 2013, Berlin
  - http://conference.kamailio.com -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130401/27ceec62/attachment-0001.htm>


More information about the sr-dev mailing list