Re: [Phpwebsite-developers] Security Alerts/Update Notification

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Geoff I'm not tying to shoot your idea down but i am going to continue to
play the devils advocate.  Thank for the input!

> Jeremy:
>
> I want to re-iterate the security breech comment I made previously.
>
> I'm suggesting a module that is part of the phpWS core for the purpose
> of  registering a phpWebsite and for receiving security updates.
>
> If the security notices are sent to the phpWS module of registered sites

This would mean our server would have to open an individual http process
to talk to all the site on the list.  What if it would not get there?  It
would also have to keep retrying on fail.  Also this is a lot of server
load.

>  and the phpWS forwards it to an email address specified by the admin on

You now have a client on all installed just sitting there listing.  You
will need to do lots of checks.  You could for example have something say
send the admin a message 1000000 times.  Or some other DOS attack to max
the server cpu.

> his  own site, this guarantees that you don't get the security alerts
> unless you  are actually running phpwebsite and you have registered your
> site.

This can be faked!  Yes it would probable eliminate a few script kiddy's
but this is not who we are really worried about.  It is even easer
considering they can see your code.

>
> This at least guarantees that anyone wanting to receive security
> information for nefarious purposes is running a registered phpWS. This
> won't stop the problem, but, it does put a significant obstacle in the
> way.  I suspect that many pranksters would simply go somewhere else with
> their  pranks because they didn't want to bother with setting up and
> hosting a  phpWS instance to be ready for any security breaches that
> occur.
>
> I figured that the registration / security module would provide a public
>  directory of phpWebsites and that each site admin could choose whether
> or  not they wanted their site listed in the public directory. It seems
> to me  that from a functionality standpoint the registration, security
> updates,  and public directory are closely enough related that a single
> module would  be best because it puts all of these functions in a single
> place for the  site admins.
>
> I like your idea of alerting to a security breach immediately before a
> fix  is available so that admins will know to be on the look out for the
> fix, to  back up their site if needed as protection, and to plan the
> time to  implement the fix when available.
>
> Geoff

-- 
Jeremy Agee
phpWebSite Development Team (http://phpwebsite.appstate.edu)
Appalachian State University
SF.net id: jagee or 94756