Is there any way to combine htaccess with one-time-pads?
The problem is the followring: Somebody wanna have acces to serval
statistics (provided via https). Unfortunately I`ve thos eproblems:
A VPN is no solution because this guy should have acces even from public
Computers (so storing a VPN-Key is a very bad idea and a Password could
get sniffed :( ).
A simple htaccess is also no solution for him because Passwords could get
sniffed. Even using https wont be neought for him because that could ge
spoofed (man in the Middle in internet-cafes).
So I searched with google but found no way to use skey with htaccess.
Is there any way to use one-time-pads with htaccess? :-/
skey with ftp is no solution because the data gets transfered in plain-text.
skey with ssh is no solution either because I wont realy open the
ssh-port :-/
Any suggestions?
Kind regards,
Sebastian

Thu, Jul 06, 2006 at 01:33:52PM +0200, sebastian.rother (AT) jpberlin (DOT) de wrote:
Is there any way to combine htaccess with one-time-pads?

Looks like a difficult task, as http is not session based. So, the
brower would ask for a new TP on every GET request. This means not
only once per page, but multiple times per page if there are
stylesheets and/or pictures involved. Does not seem feasable.

Bernd

Is there any way to combine htaccess with one-time-pads?

The problem is the followring: Somebody wanna have acces to serval
statistics (provided via https). Unfortunately I`ve thos eproblems:

A VPN is no solution because this guy should have acces even from
public Computers (so storing a VPN-Key is a very bad idea and a
Password could get sniffed :( ).
A simple htaccess is also no solution for him because Passwords could
get sniffed. Even using https wont be neought for him because that
could ge spoofed (man in the Middle in internet-cafes).

So I searched with google but found no way to use skey with htaccess.
Is there any way to use one-time-pads with htaccess? :-/

skey with ftp is no solution because the data gets transfered in
plain-text. skey with ssh is no solution either because I wont realy
open the ssh-port :-/

Any suggestions?

Kind regards,
Sebastian

Write a 'wrapper' around your pages using cgi/php/whatever, that
provides a loginprompt with onetime keys. Using sessions will give you
one key per session instead of one per file fetched.

Regards
// Bjorn

Thu, Jul 06, 2006 at 03:23:40PM +0200, Rogier Krieger wrote:
7/6/06, Bernd Schoeller <bernd.schoeller (AT) inf (DOT) ethz.chwrote:
Thu, Jul 06, 2006 at 01:33:52PM +0200, sebastian.rother (AT) jpberlin (DOT) de
>wrote:
>Is there any way to combine htaccess with one-time-pads?
>
>Looks like a difficult task, as http is not session based. So, the
>brower would ask for a new TP on every GET request.

Sounds like a good point. I'd suppose adding session information in
the web service (e.g. using Perl's Apache::Session, PHP, etc.) can
alleviate that problem. am I in need of a good clue by four here?

No, this should work. Just be sure to actually use sessions that work -
far too many can be trivially spoofed.

Joachim