Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an access key so that random people don't start using my server to host their porn. #28

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

bgreenlee
Copy link

No description provided.

@rsms
Copy link
Owner

rsms commented Mar 30, 2012

It's not really safe since anyone on the same network as you can just sniff the traffic and find the key (unless you're on SSL). A better approach would be a challenge-response or simply requiring SSL when a "access key" is enabled (eg when the access key variable is not empty). I've been running Scrup myself for a few years and never had a problem w security (I've put the recv.php under an obscure name in an obscure place that's not the same as where images are served from). Putting recv.php under an obscure name, say, dornb5mdi3ks is as effective as using a secret key, over an unsecure connection.

1 similar comment
@rsms
Copy link
Owner

rsms commented Mar 30, 2012

It's not really safe since anyone on the same network as you can just sniff the traffic and find the key (unless you're on SSL). A better approach would be a challenge-response or simply requiring SSL when a "access key" is enabled (eg when the access key variable is not empty). I've been running Scrup myself for a few years and never had a problem w security (I've put the recv.php under an obscure name in an obscure place that's not the same as where images are served from). Putting recv.php under an obscure name, say, dornb5mdi3ks is as effective as using a secret key, over an unsecure connection.

@bgreenlee
Copy link
Author

I'm not worried about people on the same network. I'm worried about either script kiddies looking for a recv.php script, or people seeing image links I post and knowing to look for the script. Yes, changing the name to something long and random is effectively the same as having a key, but I think more people are likely to set a $KEY variable in the file than think to change the name.

If you really wanted security, you could have the Mac app generate certs and use those, but that's probably overkill.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants