On Thu, Aug 1, 2013 at 3:41 PM, Michael Stovenour <michael@stovenour.net> wrote:

Iím not even sure what Kevin has done here is adequate unless he is using SSL between the browser and the apache proxy.† If someone sitting in an airport, Starbucks, etc. captures the session and grabs the proxy password then itís all over. †

Yes that is an issue. †I had ignored it assuming that risk was low. †I have an SSL cert that is still valid on the old server that I can move over. †I guess it is time to do that.

FYI, you can get a one year cert for free from†http://cert.startcom.org/†it is a rather annoying process, but it is available.