<div dir="ltr">Hello,<div><br></div><div>Comments inline<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 1, 2013 at 8:27 PM, Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<br>
<div>On 4/1/13 9:13 PM, Marius Zbihlei
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Some ideas about improving the security of the
site:
<div><br>
</div>
<div>1. Drop http connections for authentication pages
<br>
</div>
</div>
</blockquote></div>
Not sure how much it will help, as the bots were able to create
accounts by solving the captcha. HTTPS is no longer something hard
to get in any application. So far so good with the new system, no
spammer got that familiar with Kamailio modules :-), but there were
few new valid accounts.<div class="im"><br>
<br></div></div></blockquote><div style>Well, </div><div style><br></div><div style>I would be very nice for the <a href="https://www.kamailio.org">https://www.kamailio.org</a> to work (at the moment it returns an 200 OK with an empty HTML Page). Also, I consider bad security practice to allow traffic that is uncrypted for login forms, but I agree it has small benefits.</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="im">
<blockquote type="cite">
<div dir="ltr">
<div>2. Fix the <a href="http://kamailio.org" target="_blank">kamailio.org</a> certificate. At
the moment the identity of the domain can't be established as
there is no issuer chain provided with it.</div>
<div><br>
</div>
<div>From Firefox information page:</div>
</div>
</blockquote>
<br></div>
You actually need to fix Firefox -- I struggled yesterday a bit with
same situation. The certificate is actually new, generated yesterday
and signed by CACert.org. The previous one was selfsigned, from
openser times, expired for few years.<br>
<br>
I had to try other browsers to check if works, because Firefox was
displaying some error. Then I went back to stable channel from beta
channel without any success, even removing the old certificate from
firefox preference. To solve it, I cleared the cache.<br>
<br></div></blockquote><div><br></div><div style>I have tried with both Chrome and Firefox, both normal and Incognito mode. Same error. I believe the problem is with the server. </div><div style><br></div><div style>
The server provides the correct certificate (I've downloaded it), but it must provide also an intermediate certificate signed with CaCert RootCA. The client only has the Root CA, so for authentication of the cert the intermediate one is needed. </div>
<div style><br></div><div style>I guess <a href="https://www.globalsign.com/support/install/install_apache.php">https://www.globalsign.com/support/install/install_apache.php</a> provides a solution ( Note that the root CA might not make sense)</div>
<div style><br></div><div style><ul class="" style="padding:0px;margin:10px 0px 10px 10px;list-style:none;color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:13px"><li style="padding:3px 0px;margin:3px 25px;list-style:none">
Your virtual host section will need to contain the following directives:</li><li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCACertificateFile</strong></code> – This will need to point to the appropriate GlobalSign root CA certificate.</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateChainFile</strong></code> – This will need to point to the appropriate intermediate root CA certificates you previously created in Step 1 above.</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateFile</strong></code> – This will need to point to the end entity certificate (the one you have called "mydomain.crt")</li>
<li style="padding:3px 0px;margin:3px 25px;list-style:none"><code style="background-color:rgb(0,0,0);color:rgb(0,204,51);padding:3px"><strong>SSLCertificateKeyFile</strong></code> – This will need to point to the private key file associated with your certificate.</li>
</ul><div><font color="#000000" face="Arial, Helvetica, sans-serif"><span style="font-size:13px"><br></span></font></div><div style><br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Let me know if works for you in the same way.<br>
<br>
Cheers,<br>
Daniel<div><div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>"</div>
<div>
<div><a href="http://kamailio.org" target="_blank">kamailio.org</a>
uses an invalid security certificate.</div>
<div><br>
</div>
<div>The certificate is not trusted because no issuer chain
was provided.</div>
<div><br>
</div>
<div>(Error code: sec_error_unknown_issuer)</div>
<div>"</div>
<div><br>
</div>
<div>Marius</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 1, 2013 at 6:55 PM, Edson -
Lists <span dir="ltr"><<a href="mailto:4lists@gmail.com" target="_blank">4lists@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Just as a
side note, I've seem anti-spambots 'captcha systems' (just
see, not implemented, nor know about a library that
implement it) that use a dual factor approach: one that you
see and one that you know.<br>
<br>
Indeed very simple: show an image and ask something about
it.<br>
Questions can be: type just the letters, type just the
numbers, type numbers and letters in pre-defined order
(left-to-right,up-down,etc), number of colors, of groups,
color on the booton right, etc... The combination are
limited on the imagination. And the best: it increment in
exponential the way bots have to work.<br>
<br>
Does anybody knows a library/system that implement such
approach not all of them, but at least part of it?<br>
<br>
Edson.<br>
<br>
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hello,<br>
<br>
as of yesterday, creation of new accounts for Kamailio's
wiki site<br>
requires to answer a project related question. Captcha was
useless as<br>
spam bots were lately going through it easily, creating
accounts in a<br>
rate of approx 50 new registrations per day.<br>
<br>
The extra question is asked just after CAPTCHA, see it at:<br>
- <a href="https://www.kamailio.org/wiki/start?do=register" target="_blank">https://www.kamailio.org/wiki/start?do=register</a><br>
<br>
Hopefully the questions are simple enough to allow good
people to<br>
register and difficult enough for spambots to give up. It
is not a very<br>
sophisticated system, let's see if there will be any
efforts in reverse<br>
engineering to break in with bots. So far no new spammer
account. If<br>
they will succeed, at least they learn something useful.<br>
<br>
If anyone has difficulties creating wiki accounts, write
an email to<br>
sr-dev mailing list and it will be investigated.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
PS. This registration system will last, is not for April
1.<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
sr-dev mailing list<br>
<a href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a><br>
<a href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev" target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div><span class=""><font color="#888888"><pre cols="72">--
Daniel-Constantin Mierla - <a href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
<a href="http://twitter.com/#!/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, April 16-17, 2013, Berlin
- <a href="http://conference.kamailio.com" target="_blank">http://conference.kamailio.com</a> -</pre>
</font></span></div>
</blockquote></div><br></div></div></div>