[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] Hosting an encrypted pythonic simplehttp GNUmed serve

From: Sebastian Hilbert
Subject: Re: [Gnumed-devel] Hosting an encrypted pythonic simplehttp GNUmed server
Date: Sun, 1 Aug 2010 09:58:08 +0200
User-agent: KMail/1.13.3 (Linux/2.6.33-6-desktop; KDE/4.4.5; i686; ; )

Am Sonntag 01 August 2010, 09:18:54 schrieb Jim Busser:
> On 2010-07-30, at 1:42 PM, Sebastian Hilbert wrote:
> >>> The pyjamas web app use the exact same security the wxpython
> >>> app does. the only difference is that it transports the information via
> >>> the http protocol.
> Some thoughts…
> - users who would connect would be using a standard browser
> - we may agree that authentication plus transfer of patient information
> ought to be over an encrypted connection
> - simplehttp provides only http

Seems like ssl is possible as well
> - how to provide the encryption... do it inside apache?
>       is there any better alternative?
> - the connecting user should point to
>       https://<IP or domain name of gnumed server"
>       if IP, user would need to ignore the SSL certificate (hostname mismatch)
>       if domain name
>               - needs to be registered
>               - needs an SSL certificate
>               - if self-signed, user needs a way to know to trust it, and add 
> to
> browser
> - does server (simplehttp) inside apache need to be listening to port 443?
> - or can apache redirect port 443 traffic to simplehttp
> - or does some other layer (or device) do this?
I cannot comment as I know too little about that.

I believe to have read that Luke modified simplehttp somwhow. I guess he can 
comment on the ssl part. This is reasonable for using your PC/netbook in an 
open WLAN but on an untrusted PC the keylogger installed by the trojans will 
give your keystrokes away anyway. 

For access from an untrusted PC it might be reasonable to set up some sort of 
limited database where you would export only the patients you are likely going 
to access during your out of office visit. For any patient not in that 
database you would have to call you office staff to copy a record to that 
limited database. Or you have an app on your phone for that which can invoke 
record cpoying on demand. 

Now I understand where you one-time password quest comes from.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]