Subj : Web access, false BBS ID To : Andy Ball From : Michel Samson Date : Wed Oct 27 2004 11:00 pm Hi Andy, About "Web BBS" of October 27: BG> Are there any web-access BBSs, other than EleWeb... MS> Take a peek into the `FdN_SysOp.Rights' echo... ...October 13... MS> ...the obvious lack of security is what i'd call a deterrent, in MS> favour of plain old DialUp/~TelNet~ BBSing, i mean... AB> How is this any more secure than an unencrypted HTTP connection? MS> ...BBSers like me who don't know how to steal PassWords do have a MS> way to steal identities! We're in perfect agreement over ~SSH~, MS> not the removal of ~TelNet~. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ AB> It was bound to happen, eventually. I guess this event can be classified according to the laws of chaos but other natural laws will predict that all good things come to an end! %-) JW> What's the hole? I don't see it. ...that's nothing new... AB> Sysops seem pretty thin on the ground these days... Considering the apparent lack of concern from authors/SysOps on who the BBSers depended for their SoftWare when the whole BBS community went thru the ~TelNet~ transition, euh... relatively to a most basic feature of DialUp BSSing (file-transfer!), euh... Pardon my negativism but it's not tempting to leave such people too much ground so that this adventure is repeated in the same exclusive fashion again! Important things which ~WEB~ BBSes must address first are treated last, it seems; that's how a stranger's name replaced mine! It never happened when using ~TelNet~... %-o MS> If I were to set up a BBS with Internet access, SSH is probably the MS> approach that I would take. Web-based BBS have their place too. I'd make the UpGrade Path INCLUSIVE. I'm thinking of a scheme like ~POP3~ before ~SMTP~ but with a twist; i'd keep ~TelNet~ but require my LEGACY users to validate using ~SSH~ and then grant ~TelNet~ access only after the ~IP~ address is approved... I can live with innovations since ~TelNet~ can be secure enough if combined with ~SSH~/~HTTPS~ and i might even imagine other ways to adapt plain old ~TelNet~ sessions without any newer protocols (via additionnal security macros/utilities, perhaps?)... %^) AB> Telnet clients are ubiquitous, the fact that they come as standard AB> equipment with most operating system software, and are available for AB> more besides (including DOS) counts in favour of telnet. Now that we begin to get ~TelNet~ clients with decent file-transfer support (after years of waiting) lets enjoy what's here, i would say!... :) AB> Whether to allow the use of an insecure protocol to access the BBS AB> is ultimately the sysop's decision. And a BBSer's choice, as well. I'm a relatively young BBSer but it isn't acceptable to have multiple identities (nor aliases) on `FidoNet'; i'd know what MY option is should the matter become a major problem! My previous reply followed this logic, in a way: we always have the option of informing the authors/SysOps about security issues we come to notice. Salutations, :) Michel Samson a/s Bicephale http://public.sogetel.net/bicephale/ .... `MS-DOS v7.10a'+`LSPPP v0.8'+`RLFossil v1.23'+`MS-Kermit v3.15 Med.' ___ MultiMail/MS-DOS v0.45 - Numbers make BBSing UNIVERSAL, not sugar... --- Maximus/2 3.01 * Origin: COMM Port OS/2 juge.com 204.89.247.1 (281) 980-9671 (1:106/2000) .