Am Mo, den 13.12.2004 schrieb James Wilkinson um 18:41: > antonio montagnani mentioned: > > http://localhost:10000/ works > > Alexander Dalloz wrote: > > What is you problem with it? I would even say, running webmin over plain > > http and not http/ssl secured is plain stupid. > > In this particular example, it's merely bad practice. It's safe enough > in that example because the data never leaves the machine (it will go > over the loopback interface). And if the computer is properly > firewalled, no-one can get at port 10000 from outside. And the standard > Fedora firewall will do this. [ ... ] > No, the reason I think it bad practice is simply because you may forget > and think it safe when you do administer over a not-fully-trusted > network. > > James. James, of course your more detailed discussion is fully correct. I just took the URL Antonio posted as illustrations. How many webmin users remotely administer their host over a non secured HTTP connection? means, they login as root this way. I fear there are a lot! Unfortunately. From my point of view it would be best if webmin would require the HTTPS connection under any circumstance. The only problem when installing from sources is, that it requires a Perl module to activate SSL. Alexander -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 18:46:08 up 3 days, 13:26, load average: 0.63, 0.54, 0.58
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
