Calcudoku puzzle forum https://www.calcudoku.org/forum/ |
|
some site security changes https://www.calcudoku.org/forum/viewtopic.php?f=5&t=411 |
Page 1 of 2 |
Author: | pnm [ Sun Feb 03, 2013 1:38 pm ] |
Post subject: | some site security changes |
Some other changes, with no visible effect though: - a fix to the "obfuscator" program that "muddles up" the Javascript code that runs the page (the goal here is to make it difficult for people to copy and reuse the software that runs the page) - an improvement to the password encryption method: I already was using a highly rated "hashing" function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords are stored with a "salt" value, which is different for every user (!). In practice this means that should the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to recover even a single user password Compare this to what big companies do, who don't give a **** about security and your privacy, as long as you don't find out about it (LinkedIn, Adobe, eHarmony, Last.fm, etc.): 6.5 Million Encrypted LinkedIn Passwords Leaked Online Adobe hacked, passwords posted online eHarmony confirms breach, about 1.5 million passwords stolen Patrick Edit: the password update broke the automatic forum login, this should be fixed now. |
Author: | mparisi [ Sun Feb 03, 2013 10:54 pm ] |
Post subject: | Re: February changes |
pnm wrote: - an improvement to the password encryption method: I already was using a highly rated "hashing" function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords are stored with a "salt" value, which is different for every user (!). In practice this means that should the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to recover even a single user password Yes, but you are still sending the password over the net in the clear instead of using https. |
Author: | pnm [ Sun Feb 03, 2013 11:05 pm ] |
Post subject: | Re: February changes |
mparisi wrote: Yes, but you are still sending the password over the net in the clear instead of using https. True, true, so a password could still be intercepted "on the wire". I should fix that too, for completeness sake. Patrick |
Author: | pnm [ Mon Feb 04, 2013 12:40 pm ] |
Post subject: | Re: some site security changes |
(moved this to a separate thread, as you can see) Ok, the login, signup, reset password, and validate pages now all use HTTPS (i.e. an encrypted connection), so that's covered now as well In principle this was a small fix (automatically redirect login and signup to HTTPS, change references on the page to HTTPS), but it turned into a bit of a nightmare: After making the change, I got security warnings from the browser. When checked the encryption certificates for the site, I found that one of them had expired. Something went wrong when installing an updated certificate, causing the web server itself to not restart (which is why the site was out for about 20 minutes last night, around 22.00 CET :-( ). I disabled encryption altogether (causing problems for the Facebook app access, because Facebook wants HTTPS), and fixed things this morning... Scream if something is still going wrong for you. (I did notice that direct login to the forum doesn't work anymore, this will be fixed) Patrick |
Author: | danvijan [ Mon Feb 04, 2013 4:37 pm ] |
Post subject: | Re: some site security changes |
pnm wrote: Scream if something is still going wrong for you. Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid. The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem? |
Author: | pnm [ Mon Feb 04, 2013 4:51 pm ] |
Post subject: | Re: some site security changes |
danvijan wrote: Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid. The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem? What do you see when you click on the "lock" to the left of the URL in the address bar? This is what I see in Chrome: |
Author: | danvijan [ Mon Feb 04, 2013 9:22 pm ] |
Post subject: | Re: some site security changes |
Since nobody else seem to have that problem I guess it's something with my computer. I'll send you an email with the print screen. Thanks. |
Author: | beaker [ Mon Feb 04, 2013 10:40 pm ] |
Post subject: | Re: some site security changes |
Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken |
Author: | pnm [ Mon Feb 04, 2013 10:55 pm ] |
Post subject: | Re: some site security changes |
beaker wrote: Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)? (so with http, not https) I'm seeing the same error here running Internet Exploder 8 under Windows XP (which is what you're using), but not when using Firefox (for example) under XP. I'm not sure yet, but it's possible that because IE8 is too old, it doesn't know about "StartCom"'s certificates (the company that I got a (free) certificate from). Patrick |
Author: | beaker [ Tue Feb 05, 2013 2:59 am ] |
Post subject: | Re: some site security changes |
pnm wrote: Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)? (so with http, not https) At the top it reads "http://calcudoku.org" (sorry, didn't register the question in my "old" brain) Got on to the site with the same warning but once on, every thing was normal speed (question: if the computer is cold not warm due to ambient temperatures, will its response be slower......always occurs in the AM before the room warms up but rarely in the PM after room is warmer!!??) Also, I don't get the warning until I try to log in.......but once I have, the warning vanishes. |
Page 1 of 2 | All times are UTC + 1 hour [ DST ] |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |