[tech] WebCT access now denied from wireless
Grahame Bowland
grahame at angrygoats.net
Mon Oct 1 12:27:09 WST 2007
Anyone using the proxy is also transmitting their password, likely
their Pheme password, in the clear. The fact that there is one
password that grants access to all student services without a
thought-out plan to protect that password is a hard thing for UCC to
fix. Is it really worth caring, other than to report the problems to
ITS (or possibly higher up?)
On 01/10/2007, David Adam <zanchey at ucc.gu.uwa.edu.au> wrote:
> All requests to WebCT from UCC's wireless are now disallowed, and a
> warning page displayed instead (this is implemented with a DNAT on the
> firewall and an extra virtual host on Mussel).
>
> WebCT does not use SSL to protect its authentication transactions, but
> uses Pheme passwords, so we were allowing people to transmit their
> password in the clear. This is a little irresponsible, so we're now
> redirecting users to a copy of http://mussel.ucc.gu.uwa.edu.au/webct6/
> (probably only visible on FREENETS).
>
> This is a precursor to a general disclaimer which I'd like to place on the
> wireless for all users, as many people are not aware of programs like
> dsniff(1) or driftnet(1).
>
> If there are other pages which allow you to submit your Pheme password in
> the clear, please contact me (off list, duh) and we'll block those too.
>
>
> David Adam
> UCC Wheel Member
> zanchey@
>
>
More information about the tech
mailing list