[Xastir] Captcha's

Eric H. Christensen eric at christensenplace.us
Fri Jun 13 15:23:40 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The mechanism that LoTW uses is similar to what can be done for the wiki.  LoTW is using a certificate to digitally sign a file that is then transmitted to the LoTW servers.  What you can do with ssl_mod (using httpd) is to require client-side certificate authentication.  Fedora uses this for their package build server and I've seen it a couple of other places.  This isn't something that's easy (although it's not overly difficult, either).  You must have some sort of cryptographic system in place to generate and manage certificates (Dogtag?).

- From a security point of view I think this would be great.  Of course you'd need to do some basic upgrades to the security of the server itself first.

73,
Eric W4OTN


On Fri, Jun 13, 2014 at 01:45:18PM -0400, David A Aitcheson wrote:
> Curt,
> 
> I also STRONGLY suggest and support the solution that "Hessu" has
> developed as mentioned by John AB0OO.
> 
> Heikki Hannikainen OH7LZB (AKA Hessu) gave a talk on just this subject
> at the 2013 ARRL and TAPR Digital Communications Conference that was
> held in Seattle Washington during September 2013. (Hmm, I wonder if that
> was near your QTH Curt? ;-)  )
> 
> This entire talk is the subject of HamRadioNow "Episode 113 from the
> DCC: Authenticated Amateur Radio Web Services" that is available on
> YouTube.com at http://www.youtube.com/watch?v=wQxtvvhf4K8
> 
> It is a video that runs 50 minutes and 25 seconds in total and if my
> memory serves me correctly Hessu does offer to assist others on a
> limited basis especially in the APRS world.
> 
> While my LotW Certificate has expired and I do not plan on renewing it,
> or using LotW in any way, I do think it would be a good way to
> authenticate new members going forward.
> 
> 73
> Dave
> KB3EFS
> 
> 
> On 06/13/2014 12:49 PM, John Gorkos wrote:
> > Curt-
> >   Not looking for work for you, but one option might be to look at the
> > work Hessu has done in using ARRL LOtW certificates as authentication
> > factors for Wiki log in.  The process is fairly straightforward on the
> > server side, and you tell it to trust any client certificate signed by
> > the ARRL cert.  In this way, the server has access to all of the
> > information in the Client Cert, including callsign, full name, etc.
> >
> > Again, I know that your time is much better spent coding Xastir than
> > monkeying around with HTTP servers, but it's a thought, and the ARRL has
> > really done all the hard work in terms of creating a cert pool and
> > issuing them to people who are "legit" ham radio operators...
> >
> > John Gorkos
> > AB0OO
> >
> >
> > On 6/13/14, 12:39 PM, Curt, WE7U wrote:
> >> I implemented Captcha's last night, then turned the new user account
> >> feature back on.  Wiki's can end up with new spam logins even with that,
> >> but it's greatly reduced.  I guess
> >> people actually employ others to get through the captcha's...
> >>
> >> If we start getting more than one or two new spam users a week I'll
> >> change the configs so new logins must be authorized by an admin.  That
> >> should put an end to it.  In fact I may just do that in any case!
> >>
> >> This captcha is easier (for humans) to get through than most I've seen. 
> >> You see a series of dog and cat pics and must select all of the cat pics
> >> to get through.
> >>
> >> The only bug I've seen:  The enlarged pic when you hover over them is
> >> too high on the frame, so the top of the pic gets cut off.  Even so I
> >> was able to get through the captcha each and every time.
> >>
> > _______________________________________________
> > Xastir mailing list
> > Xastir at lists.xastir.org
> > http://xastir.org/mailman/listinfo/xastir
> >
> 
> -- 
> David A Aitcheson david.aitcheson at gmail.com Go Green! Print this email
> only when necessary.
> _______________________________________________
> Xastir mailing list
> Xastir at lists.xastir.org
> http://xastir.org/mailman/listinfo/xastir
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJTm0+6AAoJEB/kgVGp2CYvZoQL/0d7LWtC2zimRQe1DKP6F8n7
ZaAOtaZTGi4yBQk9Wisnx2w1arN1CUIzzKya+c7OXYPgPeErYZlMJHGnBic5/+N3
K194VSRJIWQLHf+OAVKci3IkaRTutze2GTg1rc4VJNEET7mjbDDqihO3D/GrouRr
lOOtbqgCv7kNy9QeQ+Wr2ZBZ8QO1Ss4VXofKXv9VTOc9BOlhXb5iWgQ3SwUF7V14
7bZ/rnsck32+n0RATn5gVG6tZxNSRbJHxasDA96C6WabcvWIc5WJj5kBDkghg0XL
GwXwx/onoCoSUDMcBZgAYyUN547E3TRDflOfdui1Y7Tr6Z38xOlZadRk3Ae5j76n
frMrz78d4eN+fRE2bRAnEV97cI8cfvXoPfrdiXPGqH6HxQyu3msK64Mj/dS1GrL2
pHXqOgk3Xd/6RvyaIDrCmddNKlNSZk3QivSgjHIu6HE+odP4YKuHbmvQLk40PGMB
4f4iaCfi3gGoA2rE1gRzKK3Gbw+44SsG6GnemUk8NA==
=2TaW
-----END PGP SIGNATURE-----

More information about the Xastir mailing list