Hacker News new | ask | show | jobs
by nevinera 4691 days ago
I set it up just now, and it was very easy to get moving. I'm no ops master, but it only took a few minutes, and it's a bit nicer than the homerolled solution I had been using. My writeup is on my new blog at http://nevinera.net/trying-out-specter
2 comments
brickcap 4691 days ago
I have a question...

>Specter takes the elegant/lazy approach of not using sessions at all - access to edit and create pages is entirely via url, and permission to actually perform those changes is granted by including a 'secret' (a password) in the form. It's not the most secure form of defense (I'm not using ssl, so a wireless sniffer could easily determine my password, for example), but its sufficient for a nonprofessional.

Is there something that I can do to make it more secure but still follow the lazy approach. I am asking cause I use heroku which is not secure as well.

link
nevinera 4691 days ago
I believe the standard approach is to hash the password in the browser and submit the hash for comparison - then if somebody observes the transaction they will only have gained access to the blog, and not everything with which it shares a password.

On the other side, it is typically better not to store the password on the server either. You could accomplish that by giving a utility to store a hash in a file, but that's a bit heavy I guess.

I meant for a nonprofessional /blogger/, incidentally, not a nonprofessional coder :-)

link
nevinera 4690 days ago
It looks like the actual best answer is to use ssl - apparently most apps transmit their password in the clear, and just rely on ssl to keep it from being observed. I'll amend my post.
link
brickcap 4690 days ago
Ah thanks for letting me know. I had opened an issue to change my implementation but I guess I will leave it now. Thanks once again.
link
brickcap 4691 days ago
Why thank you sir for this detailed write up! You did a great job.
link