Hello,
Comments inline
On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com>wrote;wrote:
On 4/1/13 9:13 PM, Marius Zbihlei wrote:
Some ideas about improving the security of the site:
1. Drop http connections for authentication pages
Not sure how much it will help, as the bots were able to create accounts
by solving the captcha. HTTPS is no longer something hard to get in any
application. So far so good with the new system, no spammer got that
familiar with Kamailio modules :-), but there were few new valid accounts.
Well,
I would be very nice for the
https://www.kamailio.org to work (at the
moment it returns an 200 OK with an empty HTML Page). Also, I consider bad
security practice to allow traffic that is uncrypted for login forms, but I
agree it has small benefits.
2. Fix the
kamailio.org certificate. At the moment
the identity of the
domain can't be established as there is no issuer chain provided with it.
From Firefox information page:
You actually need to fix Firefox -- I struggled yesterday a bit with same
situation. The certificate is actually new, generated yesterday and signed
by
CACert.org. The previous one was selfsigned, from openser times, expired
for few years.
I had to try other browsers to check if works, because Firefox was
displaying some error. Then I went back to stable channel from beta channel
without any success, even removing the old certificate from firefox
preference. To solve it, I cleared the cache.
I have tried with both Chrome and Firefox, both normal and Incognito mode.
Same error. I believe the problem is with the server.
The server provides the correct certificate (I've downloaded it), but it
must provide also an intermediate certificate signed with CaCert RootCA.
The client only has the Root CA, so for authentication of the cert the
intermediate one is needed.
I guess
https://www.globalsign.com/support/install/install_apache.phpprovides
a solution ( Note that the root CA might not make sense)
- Your virtual host section will need to contain the following
directives:
- *SSLCACertificateFile* – This will need to point to the appropriate
GlobalSign root CA certificate.
- *SSLCertificateChainFile* – This will need to point to the appropriate
intermediate root CA certificates you previously created in Step 1 above.
- *SSLCertificateFile* – This will need to point to the end entity
certificate (the one you have called "mydomain.crt")
- *SSLCertificateKeyFile* – This will need to point to the private key
file associated with your certificate.
Let me know if works for you in the same way.
Cheers,
Daniel
"
kamailio.org uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
"
Marius
On Mon, Apr 1, 2013 at 6:55 PM, Edson - Lists <4lists(a)gmail.com> wrote:
Just as a side note, I've seem anti-spambots
'captcha systems' (just see,
not implemented, nor know about a library that implement it) that use a
dual factor approach: one that you see and one that you know.
Indeed very simple: show an image and ask something about it.
Questions can be: type just the letters, type just the numbers, type
numbers and letters in pre-defined order (left-to-right,up-down,etc),
number of colors, of groups, color on the booton right, etc... The
combination are limited on the imagination. And the best: it increment in
exponential the way bots have to work.
Does anybody knows a library/system that implement such approach not all
of them, but at least part of it?
Edson.
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:
Hello,
as of yesterday, creation of new accounts for Kamailio's wiki site
requires to answer a project related question. Captcha was useless as
spam bots were lately going through it easily, creating accounts in a
rate of approx 50 new registrations per day.
The extra question is asked just after CAPTCHA, see it at:
-
https://www.kamailio.org/wiki/start?do=register
Hopefully the questions are simple enough to allow good people to
register and difficult enough for spambots to give up. It is not a very
sophisticated system, let's see if there will be any efforts in reverse
engineering to break in with bots. So far no new spammer account. If
they will succeed, at least they learn something useful.
If anyone has difficulties creating wiki accounts, write an email to
sr-dev mailing list and it will be investigated.
Cheers,
Daniel
PS. This registration system will last, is not for April 1.
_______________________________________________
sr-dev mailing list
sr-dev(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
--
Daniel-Constantin Mierla -
http://www.asipto.comhttp://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
Kamailio World Conference, April 16-17, 2013, Berlin
-
http://conference.kamailio.com -