antonio montagnani mentioned: > http://localhost:10000/ works Alexander Dalloz wrote: > What is you problem with it? I would even say, running webmin over plain > http and not http/ssl secured is plain stupid. In this particular example, it's merely bad practice. It's safe enough in that example because the data never leaves the machine (it will go over the loopback interface). And if the computer is properly firewalled, no-one can get at port 10000 from outside. And the standard Fedora firewall will do this. If the standard firewall is *not* enabled, but Webmin is only run from the machine in question, then the password still never leaves the machine, and an attacker is limited to finding bugs or brute-forcing the password. And SSH is as vulnerable. I'd even call it safe over a trusted network, where you are sure none of the machines are compromised, they're all under your control, and you can see the wires (although I still don't fully trust wireless encryption). A very small office or a home office, perhaps. No, the reason I think it bad practice is simply because you may forget and think it safe when you do administer over a not-fully-trusted network. James. -- E-mail address: james | "Luck is my middle name," said Rincewind, @westexe.demon.co.uk | indistinctly. "Mind you, my first name is Bad." | -- Terry Pratchett, Interesting Times
