Re: hosting a secure website accessible from only a few IP addresses and users

• Previous message: Bjorn Randell: "Re: Man in the Middle SSL Attack"
• In reply to: 2pac: "Re: hosting a secure website accessible from only a few IP addresses and users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 24 Jun 2003 07:12:20 GMT

In article <d04df644.0306231809.53bd087b@posting.google.com>,
2pac <cal_2pac@yahoo.com> wrote:
:Thanks for the suggestions
:a) family has got static IPs
:b) authenticated user logins (OR logins over SSL) may be useful - but
:am wondering how good against hacker brute force or dictionary
:attacks.
:If popular websites can get hacked - the moment I let someone know
:that there is a port open (and the identity of the web server
:software) - I may be susceptible to attack

You are going to be "susceptible to attack" as long as you
use your computer on the net (even if not as a server.)

If you do not use your computer on the net, your computer
is still susceptible to attacks if someone can convince you to
load software they sent you. And even if you never run anything
you didn't write yourself and you never connect to the net,
you are susceptible to "Van Eckk monitoring" or Tempest-
type attacks. And if you lock your computer in a shielded room,
there are attacks based upon monitoring your voltage draw,
or based upon introducing a spy device ("bug") inside the room.

Basically, as long as the computer exists, it is "susceptible
to attack".

Brute force attacks take *time*. How many connections per second will
your firewall allow? 1000 perhaps? If the average entropy of characters
in the passwords is (say) 5 bits [i.e., an assumption that people do
NOT select password characters very randomly], and if the minimum
password length is 6 characters [rather on the short side], then there
would be 2^(5*6) = 2^30 passwords, which is about 10^9. At 1000 per
second, it'd still take an average of 500,000 seconds to brute force,
which is about 5 3/4 days -continuous-, under these assumptions of weak
passwords. Is your setup going to be such that you aren't going
to -notice- a concerted breakin effort within 6 days?

-- 
   Come to think of it, there are already a million monkeys on a million
   typewriters, and Usenet is NOTHING like Shakespeare.  -- Blair Houghton.

• Previous message: Bjorn Randell: "Re: Man in the Middle SSL Attack"
• In reply to: 2pac: "Re: hosting a secure website accessible from only a few IP addresses and users"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]