Tuesday 08 April 2003 11:25:21 am
Hi Volker, >SSL-Login ? Possible, but what is it good for ... To protect user's password and personal information. Many users re-use their password on several sites some of them using simple HTTP. This is a very highly security problem. While I personnaly can't force the user to use a different password I can at least attempt to minimize the impact of such insecure behavior by reducing the amount of public awareness of this piece of information. If I do so, maybe other site will also get the idea and support proper secure authentication scheme and will reduce the amount of identity theft going on. > This is nothing but fooling users. I disagree with you here. I believe that the password is transmitted securely between the home user and the site. It surely doesn't say that at the site only my script will get it but at least it reduce the possibilities. It also ensure that brothers and sisters who on community site may be interested in hacking access and posting stuff under other name won't be able to do so on the site without more thinking on their side.
>I recommend that you go the gmx-way of open registration
>with email adresses. This is very easy to accomplish with >ezp3. Hmm, maybe but people do not like to be enforced a certain password and are more likely to never come back to my site which is in the opposite direction of my goals. Also the idea of using an identity and password is to allow a more personal approach and if that identity is not strong then there's no real point in having it at all which again is not going toward my goals for my site. There is also the part about providing the email address. Many site take this information as granted while many users are starting to be annoyed with spam and stop wanting to provide that piece of information. One of my goal is to go back in time where web site didn't require email addresses.
> On the other hand, if you want to provide serious SSL
> sessions, the main piece of work is to create a good web
> server configuration with appropriate rewrite rules the
> redirection purposes as needed. Within ezp3, you may
> associate your content and site access with SSL-sessions or > not as you like. Unfortunately, at the current time, I am not fortunate enough to own my web server/permanent connection or to have access as I wish to all its configuration. The scenario I described is the one I have to live with at the moment and I would appreciate help that support the scenario and not ask to change it, unless a hosting service allowing me such support be provided as well at the same cost as my current one 9$US a month, as I don't have that control at the present host. Sincerely,
Yannick Koehler [email protected]
|