Re: Access Authorization

luotonen@ptsun00.cern.ch (Ari Luotonen)
Date: Fri, 17 Sep 93 21:19:22 +0200
From: luotonen@ptsun00.cern.ch (Ari Luotonen)
Message-id: <9309171919.AA09843@ptsun00.cern.ch>
To: www-talk@nxoc01.cern.ch
Subject: Re: Access Authorization
Status: RO


> If you just want to keep honest people out, then don't hack up the
> protocol just to do it -- it isn't necessary. All you need is to put
> the web under some directory /secret/ and add a 'query' page where you
> have to type in 'secret' in order to get access to those files.
> 
> Actually, what is probably more effective and simpler is to add a
> <H1>PRIVATE: This information is for use of members of the FOO project
> Only. All other use is unauthorized.</H1>.

Now please, let's not get out of line. This is once again a reference to
"passwords don't offer any security". But the *do*. I mean if there is
any kind of password protection, you have to *know* or find out the password
to get in. If there is just some notice, you don't have to know anything,
just go ahead.

It is said how easy it is to eavesdrop ethernet and find out about peoples
passwords. But normal people don't listen to ethernet. Going through so
much trouble as to catch http packets shows such a strong urge to get into
a system that very few really do it.

You are referring to the fact that is possible to break the protection, and
then you assume that every damn soul uses that possibility.
Its like throwing away a million bucks because you lost a dollar.
Do you think that a casual wanderer in the Web really even cares to look at
how WWW protection is implemented. He probably wouldn't even find the
documentation.

So this stops 99.9% of intruders, I am sure. Is that not better than a
braindead "This is secret" method -- I mean please! Who believes that? No
one would take it seriously -- nobody in his right mind would protect
anything just by saying this is secret. When there is a password at least
they know that this is secret enough that it is protected by a password.
This is clearly psychological.

For example: how do some hackers in Zimbabwe listen to CERN ethernet?
Tell me, what are the chances that they really find out somebody's password
in some of our collaborations?


-- Ari --