Welcome to WebmasterWorld Guest from 188.8.131.52
I need to monitor my Adwords account during this time, using public computers. But that's obviously not secure at all. I do have some scripts to download reports via the API. But sometimes you need to adjust bids and more advanced things.
Is there a secure way to access my account through public computers? Maybe some proxy server, a complete webbased api interface, vpn...? I have a dedicated linux server with apache etc, to install stuff on.
I don't mind other people seeing my account data, I just don't want to type in my password on a public computer. I would need some kind of use-once-only passwords.
I hope someone can tell me what to look for!
A GOOD Internet Cafe will have a means to re-load the hard disk quickly with a clean image. You might be able to request that they do that.
In any case, always clear the browser cache after you are done.
It would be better to take your own notebook computer. If you don't have Internet in your hotel, many Internet Cafes will allow you to plug-in your own notebook. And, of course, you will probably be able to find some wireless access points. An additional precaution would be to use VPN software on your notebook. You would connect via VPN to your home computer, and go back out to the Internet from there. The connection between your notebook and home is off-limits to any prying eyes along the way.
Dunno about proxy services with auto-resetting passwords. Sounds like a great idea, though! This could be done with a pre-printed "code book", or with a security appliance (such as the one my stock broker sent me).
The proxy would have to have your Adwords user ID/password stored. You would have to trust the proxy with this, which is not something I would trust a third party with. (So best to run this software on your home machine.) It wouldn't have to change your Adwords password. What would change after a session is the password used to access the proxy server.
This wouldn't protect the account information displayed during a session. But, then, you've said you are not concerned about that. It would protect your password, though.
Since this has the gears in my head working thinking about developing such a product myself, that makes me almost certain that somebody else has already done this. ;) So, it's probably just a Google search away.
I use Remote Desktop when I'm on vacation. I connect to my computer at home remotely, and then surf the net from my home computer. My home ip address is used when I do this.
I use Remote Desktop when I'm on vacation. I connect to my computer at home remotely, and then surf the net from my home computer.
It would be a partcularly bad idea to do this from a public computer. You'd be potentially exposing your home computer to total control by somebody who has installed a key-logger on the public computer.
Don't do it.
Hardware key loggers are inexpensive and can be easily incorporated into keyboard casings.
If you don't notice a hardware logger then you have no defence, no matter what you do with software.
Although the likelyhood of being the victim of such a stunt is low, think of the damage that could be done if you were unlucky.
It's your decision.
* A bootable Linux CD. A good idea. Should be secure, but hardware keylogger can be a problem. I didn't know about such devices.
* Take a notebook. Good idea as well, but I don't like the extra weight.
* Remote desktop, that would be the ideal way! But from what I can see, you log into your home computer with a username/password. With a keylogger on the public computer, somebody can catch that combination, and log into your home computer later, very insecure!
* A proxy server with disposable passwords. Jtara, you are into what I'm thinking about. I've searched for such a software but so far found nothing useful. I've sketched on something to code myself, but I got stuck. Server is no problem as I have one always online.
Apache also has mod_proxy, which can make it act as a proxy server.
At worst, then, you'd have to modify an example authentication module so that it changes the password after each use. But perhaps such an authentication module already exists. (It does - see below!)
Better yet would be to use a SecurID device. This is a little keychain-fob device that has a numeric keyboard and small display. These are used by banks, brokerages, etc. My stock broker provides me with one of these to access their site.
RSA SecurID® hardware tokens provide "hacker-resistant" two-factor authentication, resulting in easy-to-use and effective user identification. Based on RSA Security’s patented time synchronization technology, this authentication device generates a simple, one-time authentication code that changes every 60 seconds.
First, you enter a PIN into the device. The website displays a number before logging-in. You also enter this number into the device. It then displays a temporary passcode, which you then enter into the website. Upon next use, it generates a new temporary passcode. This scheme is one means of implementing so-called "two factor authentication".
And, of course, RSA (the manufacturer - I'm sure there are other manufacturers of similar devices) provides an Apache authentication module! (RSA Authentication Agent 5.3 for Apache Web Server).
I dunno the costs or if this would be practical for an individual to implement. It does appear that the authentication agent is a free download, though. I also see that they are offering a free Authentication Manager and SecurID Token trial for developers. :)
I see a couple of intriguing commercial opportunities here:
1. A third-party proxy service. Not as secure as running this on your own home computer, of course, since you would have to trust the service. Probably best if done by a trusted big name.
2. A website explaining just how to do this. In my searching, I did not come across a site explaining just how to do this at home. I think it would make an intriguing mini-site (which could potentially draw high-value security-related ads). If you have the time, you just might develop such a site as you poke though the RSA documentation and experiment with your server. :)
If you do a search for "SecurID" you will come up with all sorts of intriguing possibilities, both in the natural search results and in the ads. For example, somebody has a password scheme that uses your typing rhythm for authentication.
But once you have a secure proxy server using one-time passwords, it isn't too much of a stretch from there.
For example, you could put a PHP page (or Perl, or whatever) on your server at home that would do the login for you, and then hand control over to the proxy. (Not sure just how you would do the latter - possibly just an HTTP redirect to the proxy server.) The password(s) (as obviously this could be used for sites other than Adwords) could be stored in a database on your server, or just embedded in the PHP code.
"Good idea as well, but I don't like the extra weight."
Buy an ultraportable, I have a Sony TX2XP/B - its tiny and weighs almost nothing!
Alternativly, you can get some mobile phones with a built in browser, good enough to do adwords account maintainance etc.
Now, if you don't have, and have money and don't like the extra-weight, get a PDA.