[PLUG] Secret message web page
Eric Wilhelm
scratchcomputing at gmail.com
Sat Apr 14 21:39:18 UTC 2007
I'll second the issues of the self-signed cert. You really do need the
"I am who I say I am" bit for this whole thing to work. (Whatever
happened to the freegeek semi-monthly keysigning anyway?)
# from Jason Martin
# on Saturday 14 April 2007 12:16 pm:
>If the interface is open it could be subject to spam.
My thoughts exactly. Anything resembling a POSTable form anywhere on
your website will be immediately pelted by bots (as soon as they find
it) looking for naive e-mail scripts that don't protect the header from
being appended by the form content. If you're not careful, the page
could even be sending spam to *elsewhere* without you knowing it
(unless you're watching the server log.)
You want to be sure you don't have *that* sort of cgi script.
>Also, I assume you have considered the fact that *you* have no way of
>verifying the identity of the sender?
You probably also want to make it a password-protected page. Hand-out a
one-time password to your visitor over the phone (or e-mail if you
must, since the risk is greatly reduced by the expiry window.)
>On 4/14/07, Keith Lofstrom <keithl at kl-ic.com> wrote:
>> ... cgibin/XXXXXXXXX.cgi
If you *really* wanted it tested, you would post the real url here where
the scambots could find it :-D
--Eric
--
"Because understanding simplicity is complicated."
--Eric Raymond
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
More information about the PLUG
mailing list