On 13/04/11 16:45, Michael Hamann wrote:
Hi, Excerpts from andy baxter's message of 2011-04-13 09:22:37 +0200: [...]Could you let me know a bit more about what the risks are; for example how much more of a risk is it to use xmlrpc over http than just to do a standard site login over http?The risk is basically that with every request your password is sent in plaintext to the server - or if you are using URL parameters for the login it might even appear in server log files. We however support also a cookie-based approach which is used in the sync plugin, so in the sync plugin the password is only transfered once for every sync/request you do. If you enable XML-RPC just for your user account there shouldn't be any additional risk. Also cookies aren't completely safe, currently all cookies, in the future only if the remember me box is checked, are like a login and password for your account and remain valid until you change your password, for details have a look at: http://bugs.dokuwiki.org/index.php?do=details&task_id=2202 So in short: If you are concerned about the data and your login data and that somebody might intercept your connection to the server consider using SSL (for your whole wiki, not just for XML-RPC), but there shouldn't be any additional risk apart from the risks that exist for the normal web interface, too - provided that you restrict XML-RPC usage to certain users because bots could use the XML-RPC interface to easily change large parts of the wiki.
Thanks - that's clear and really helpful :)I'm more worried about losing data than someone else having it, so if I keep good backups and restrict xmlrpc to one user, it sounds like I should be ok.
-- DokuWiki mailing list - more info at http://www.dokuwiki.org/mailinglist