We were sitting here looking at some unencrypted network traffic and it hit me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a tremendous security hole. Someone could grab the credentials of a more prominent member of the community who has admin rights to many repos and start uploading arbitrary Zip files with who-knows-what embedded. SSL certificates are so cheap today. Will ESUG purchase them for our community servers? I personally have deleted all my private repos, and moved them to BitBucket, which I can access via SSH, but it doesn't solve the problem because of course any open source St project I load will open the flood gates! ----- Cheers, Sean -- View this message in context: http://forum.world.st/Repository-In-Security-tp4845058.html Sent from the ESUG mailing list archive at Nabble.com.

Hi Sean, Sean P. DeNigris <sean@clipperadams.com> writes: > We were sitting here looking at some unencrypted network traffic and it hit > me - our StHub, SqS, and ss3 credentials are always unencrypted. This is a > tremendous security hole. Someone could grab the credentials of a more > prominent member of the community who has admin rights to many repos and > start uploading arbitrary Zip files with who-knows-what embedded. > > SSL certificates are so cheap today. Will ESUG purchase them for our > community servers? > > I personally have deleted all my private repos, and moved them to BitBucket, > which I can access via SSH, but it doesn't solve the problem because of > course any open source St project I load will open the flood gates! thank you for raising the issue. The ESUG board can pay such a certificate. Nonetheless, the problem is not paying but installing the certificate and maintaining the server. We already have too little time to dedicate to server maintenance. We are looking for volunteers. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill

I'll volunteer if someone cab give me an overview of how things are set up. I enjoy a little bit of server maintenance from time to time. On 26 August 2015 09:28:42 CEST, Damien Cassou <damien.cassou@inria.fr> wrote: > >Hi Sean, > >Sean P. DeNigris <sean@clipperadams.com> writes: > >> We were sitting here looking at some unencrypted network traffic and >it hit >> me - our StHub, SqS, and ss3 credentials are always unencrypted. This >is a >> tremendous security hole. Someone could grab the credentials of a >more >> prominent member of the community who has admin rights to many repos >and >> start uploading arbitrary Zip files with who-knows-what embedded. >> >> SSL certificates are so cheap today. Will ESUG purchase them for our >> community servers? >> >> I personally have deleted all my private repos, and moved them to >BitBucket, >> which I can access via SSH, but it doesn't solve the problem because >of >> course any open source St project I load will open the flood gates! > >thank you for raising the issue. > >The ESUG board can pay such a certificate. Nonetheless, the problem is >not paying but installing the certificate and maintaining the server. >We >already have too little time to dedicate to server maintenance. > >We are looking for volunteers. > >-- >Damien Cassou >http://damiencassou.seasidehosting.st > >"Success is the ability to go from one failure to another without >losing enthusiasm." --Winston Churchill > >_______________________________________________ >Esug-list mailing list >Esug-list@lists.esug.org >http://lists.esug.org/mailman/listinfo/esug-list_lists.esug.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

Steven R. Baker <steven@stevenrbaker.com> writes: > I'll volunteer if someone cab give me an overview of how things are > set up. I enjoy a little bit of server maintenance from time to time. those interested should contact "Marcus Denker" <marcus.denker@inria.fr> to build a maintainer team. -- Damien Cassou http://damiencassou.seasidehosting.st "Success is the ability to go from one failure to another without losing enthusiasm." --Winston Churchill

Damien Cassou-2 wrote > those interested should contact "Marcus Denker" to build a maintainer > team. I will help, too. I will contact Marcus… ----- Cheers, Sean -- View this message in context: http://forum.world.st/Repository-In-Security-tp4845058p4846625.html Sent from the ESUG mailing list archive at Nabble.com.