Security in Enhanced Web Admin

[Deathdefyer2002]

Hey
I was just wondering how secure the Web Admin is. I know that if you are going to be accessing it from the internet there are inherent risks. What I am wondering is if there is any kind of encryption scheme used to ensure that the login and password isn't flying around the net in plain text. If it is in use, then that would make me feel alot better using it. If it isn't, maybe you could point me in the right direction to implement that. I also noticed that recently a new feature was implemented that allowed multiple guests to log in. I am wondering if that login was also secure? Also, Is their an ability to have different levels of security. My idea was having different logins for different people. The administrator then delegates to each user that they can and can not do.

Thanks so much

Inspiring Web developer/Telecommunications Student

[SFX Group]

Hi

Mine has been live on a website, had many try to had it, NEVER had anything altered so no one has got in....

As long as you have a good username and password, i changed the "auto login" addresses to "none" that way there can be no IP spoofing thing going on.

[elite]

Hey
I was just wondering how secure the Web Admin is. I know that if you are going to be accessing it from the internet there are inherent risks. What I am wondering is if there is any kind of encryption scheme used to ensure that the login and password isn't flying around the net in plain text. If it is in use, then that would make me feel alot better using it. If it isn't, maybe you could point me in the right direction to implement that. I also noticed that recently a new feature was implemented that allowed multiple guests to log in. I am wondering if that login was also secure? Also, Is their an ability to have different levels of security. My idea was having different logins for different people. The administrator then delegates to each user that they can and can not do.

Thanks so much

Inspiring Web developer/Telecommunications Student

I assume the username/password is sent as plain text (as a lot of software does, including those with much more sensitive information - email etc) - I guess if you were to setup Apache CLI maybe you could use SSL??

As SFX Group says I've been running it 24/7 for at least a year without any problems and TBH if someone got past the authentication the worst they could do is delete some recordings or even set Strictly Come Dancing to record :eek:

[UncleJohnsBand]

There is security in the id and password when it is passed accross......to establish your validation credentioals the id and password that are entered are updated with a server based "salt" that is then used to reconvert what was entered whne the data gets to the server.

The "salt" is ever changing therefore it is valid only on your login....if someone else tried to use that info they would fail.

[Deathdefyer2002]

Does this "Salt" Reside in my Gbpvr server? or is that an aspect of the data transversing across the internet? Maybe you could just explain salt in a little bit better detail.


Thanks for ALL the help!

[ACTCMS]

Does this "Salt" Reside in my Gbpvr server? or is that an aspect of the data transversing across the internet? Maybe you could just explain salt in a little bit better detail.

"salt" is used in cryptography. You can find a bit more detail here...

Alex

[UncleJohnsBand]

Does this "Salt" Reside in my Gbpvr server? or is that an aspect of the data transversing across the internet? Maybe you could just explain salt in a little bit better detail.


Thanks for ALL the help!

Yes...it is generated on the gbpvr server and then the user id and password are encrypted with MD5 cryptography on the client.....then passed to the server......decrypted and salt applied.....result compared to what is in the GBPVR Config and if they match your authentication cookie is created.

[elite]

Yes...it is generated on the gbpvr server and then the user id and password are encrypted with MD5 cryptography on the client.....then passed to the server......decrypted and salt applied.....result compared to what is in the GBPVR Config and if they match your authentication cookie is created.

I stand corrected re plain text

[mixedup]

I have an existing Apache server in my firewall PC. Has anyone tried exposing the GB-PVR web application via an existing apache server? If so I'd be interested in how you did it / what your apache configuration was.

[elite]

I have an existing Apache server in my firewall PC. Has anyone tried exposing the GB-PVR web application via an existing apache server? If so I'd be interested in how you did it / what your apache configuration was.

I did this many releases ago following the instructions here