<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 4/1/13 9:13 PM, Marius Zbihlei
wrote:<br>
</div>
<blockquote
cite="mid:CAD85-0vBYTqdtpNhM9pUyGL1aVoTPGfUMSVoQF-ct+JcmAHYhQ@mail.gmail.com"
type="cite">
<div dir="ltr">Some ideas about improving the security of the
site:
<div><br>
</div>
<div style="">1. Drop http connections for authentication pages
<br>
</div>
</div>
</blockquote>
Not sure how much it will help, as the bots were able to create
accounts by solving the captcha. HTTPS is no longer something hard
to get in any application. So far so good with the new system, no
spammer got that familiar with Kamailio modules :-), but there were
few new valid accounts.<br>
<br>
<blockquote
cite="mid:CAD85-0vBYTqdtpNhM9pUyGL1aVoTPGfUMSVoQF-ct+JcmAHYhQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">2. Fix the <a moz-do-not-send="true"
href="http://kamailio.org">kamailio.org</a> certificate. At
the moment the identity of the domain can't be established as
there is no issuer chain provided with it.</div>
<div style=""><br>
</div>
<div style="">From Firefox information page:</div>
</div>
</blockquote>
<br>
You actually need to fix Firefox -- I struggled yesterday a bit with
same situation. The certificate is actually new, generated yesterday
and signed by CACert.org. The previous one was selfsigned, from
openser times, expired for few years.<br>
<br>
I had to try other browsers to check if works, because Firefox was
displaying some error. Then I went back to stable channel from beta
channel without any success, even removing the old certificate from
firefox preference. To solve it, I cleared the cache.<br>
<br>
Let me know if works for you in the same way.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<blockquote
cite="mid:CAD85-0vBYTqdtpNhM9pUyGL1aVoTPGfUMSVoQF-ct+JcmAHYhQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div style="">"</div>
<div style="">
<div><a moz-do-not-send="true" href="http://kamailio.org">kamailio.org</a>
uses an invalid security certificate.</div>
<div><br>
</div>
<div>The certificate is not trusted because no issuer chain
was provided.</div>
<div><br>
</div>
<div>(Error code: sec_error_unknown_issuer)</div>
<div>"</div>
<div><br>
</div>
<div style="">Marius</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 1, 2013 at 6:55 PM, Edson -
Lists <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:4lists@gmail.com" target="_blank">4lists@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Just as a
side note, I've seem anti-spambots 'captcha systems' (just
see, not implemented, nor know about a library that
implement it) that use a dual factor approach: one that you
see and one that you know.<br>
<br>
Indeed very simple: show an image and ask something about
it.<br>
Questions can be: type just the letters, type just the
numbers, type numbers and letters in pre-defined order
(left-to-right,up-down,etc), number of colors, of groups,
color on the booton right, etc... The combination are
limited on the imagination. And the best: it increment in
exponential the way bots have to work.<br>
<br>
Does anybody knows a library/system that implement such
approach not all of them, but at least part of it?<br>
<br>
Edson.<br>
<br>
Em 01/04/2013 06:27, Daniel-Constantin Mierla escreveu:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
as of yesterday, creation of new accounts for Kamailio's
wiki site<br>
requires to answer a project related question. Captcha was
useless as<br>
spam bots were lately going through it easily, creating
accounts in a<br>
rate of approx 50 new registrations per day.<br>
<br>
The extra question is asked just after CAPTCHA, see it at:<br>
- <a moz-do-not-send="true"
href="https://www.kamailio.org/wiki/start?do=register"
target="_blank">https://www.kamailio.org/wiki/start?do=register</a><br>
<br>
Hopefully the questions are simple enough to allow good
people to<br>
register and difficult enough for spambots to give up. It
is not a very<br>
sophisticated system, let's see if there will be any
efforts in reverse<br>
engineering to break in with bots. So far no new spammer
account. If<br>
they will succeed, at least they learn something useful.<br>
<br>
If anyone has difficulties creating wiki accounts, write
an email to<br>
sr-dev mailing list and it will be investigated.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
PS. This registration system will last, is not for April
1.<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
sr-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:sr-dev@lists.sip-router.org" target="_blank">sr-dev@lists.sip-router.org</a><br>
<a moz-do-not-send="true"
href="http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev"
target="_blank">http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a>
Kamailio World Conference, April 16-17, 2013, Berlin
- <a class="moz-txt-link-freetext" href="http://conference.kamailio.com">http://conference.kamailio.com</a> -</pre>
</body>
</html>