[aprssig] APRS-IS authentication (Was: APRS-IS Passcode Generator On-Line)
Georg Lukas DO1GL georg at op-co.deThu Aug 19 15:42:21 UTC 2010
- Previous message: [aprssig] APRS-IS Passcode Generator On-Line
- Next message: [aprssig] APRS-IS authentication (Was: APRS-IS Passcode Generator On-Line)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Stephen, hi all! * Stephen H. Smith <wa8lmf2 at aol.com> [2010-08-08 06:04]: > While studying stats for my website last night, I discovered that this > address was producing referals to my site: > > <http://wiki.github.com/ge0rg/aprsdroid/> [..] I am really sorry for the confusion I caused to you, and I would have been really glad to hear from you directly. I can remove the links to your site if you wish so (or mirror the data on my own if you are concerned about the traffic). However, as you pointed out, the information is freely available to anyonce capable of using google ;-) My primary concern with this reply however is the access barrier to APRS-IS. Once released to Android Market, APRSdroid will be available to a huge audience, consisting mainly of non-hams. Right now, the access barrier consists of a warning dialog at the first program start, stating that it is probably illegal to use without a license, and the requirement to figure out the APRS-IS passcode. So far, some people asked me via e-mail, some others found the aprspass tool from aprsd, but most users used your online passcode generator. Of course, this method can be easily circumvented with bad intent. On the other hand, requiring an authentication mechanism comparable to the one on EchoLink just to access a 16-bit hash number is neither efficient nor adequate. After all, other applications are just taking the callsign and silently calculate the passcode. What would be the adequate level of checking for this (or any other) APRS-IS application? The options I see so far are: * No checking, automatic passcode calculation (too easy for accidental abuse by non-hams?) * Match the callsign against a regular expression * Require entry of the passcode, providing an online form for passcode generation * Provide an online form requiring name, callsign and email address and logging the data for abuse management * Require passcodes to be requested by e-mail (adds much work but does not really prevent callsign stealing) * Perform an EchoLink-like authentication check I'd be glad to hear opinions and suggestions from this community! 73 de DO1GL, Georg Lukas -- || http://op-co.de ++ GCS/CM d-- s: a- C+++ UL+++ !P L+++ E--- W++ ++ || gpg: 0x962FD2DE || N++ o? K- w---() O M V? PS+ PE-- Y+ PGP++ t+ || || Ge0rG: euIRCnet || 5 X R(+) tv b+(++) DI+++ D+ G e+++ h- r++ y? || ++ IRCnet OFTC OPN ||________________________________________________|| -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: <http://www.tapr.org/pipermail/aprssig/attachments/20100819/b190dd7a/attachment.pgp>
- Previous message: [aprssig] APRS-IS Passcode Generator On-Line
- Next message: [aprssig] APRS-IS authentication (Was: APRS-IS Passcode Generator On-Line)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the aprssig mailing list