Calcudoku puzzle forum
http://www.calcudoku.org/forum/

some site security changes
http://www.calcudoku.org/forum/viewtopic.php?f=5&t=411
Page 1 of 2

Author:  pnm  [ Sun Feb 03, 2013 1:38 pm ]
Post subject:  some site security changes

Some other changes, with no visible effect though:

- a fix to the "obfuscator" program that "muddles up" the Javascript code that runs the page
(the goal here is to make it difficult for people to copy and reuse the software that runs the page)

- an improvement to the password encryption method: I already was using a highly rated "hashing"
function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords
are stored with a "salt" value, which is different for every user (!). In practice this means that should
the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to
recover even a single user password

Compare this to what big companies do, who don't give a **** about security and your privacy, as long as
you don't find out about it (LinkedIn, Adobe, eHarmony, Last.fm, etc.):
6.5 Million Encrypted LinkedIn Passwords Leaked Online
Adobe hacked, passwords posted online
eHarmony confirms breach, about 1.5 million passwords stolen

Patrick

Edit: the password update broke the automatic forum login, this should be fixed now.

Author:  mparisi  [ Sun Feb 03, 2013 10:54 pm ]
Post subject:  Re: February changes

pnm wrote:
- an improvement to the password encryption method: I already was using a highly rated "hashing"
function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords
are stored with a "salt" value, which is different for every user (!). In practice this means that should
the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to
recover even a single user password

Yes, but you are still sending the password over the net in the clear instead of using https.

Author:  pnm  [ Sun Feb 03, 2013 11:05 pm ]
Post subject:  Re: February changes

mparisi wrote:
Yes, but you are still sending the password over the net in the clear instead of using https.

True, true, so a password could still be intercepted "on the wire".

I should fix that too, for completeness sake.

Patrick

Author:  pnm  [ Mon Feb 04, 2013 12:40 pm ]
Post subject:  Re: some site security changes

(moved this to a separate thread, as you can see)

Ok, the login, signup, reset password, and validate pages now all use HTTPS (i.e. an encrypted connection),
so that's covered now as well :-)

In principle this was a small fix (automatically redirect login and signup to HTTPS, change references
on the page to HTTPS), but it turned into a bit of a nightmare:
After making the change, I got security warnings from the browser. When checked the encryption certificates
for the site, I found that one of them had expired. Something went wrong when installing an updated certificate,
causing the web server itself to not restart (which is why the site was out for about 20 minutes last night,
around 22.00 CET :-( ). I disabled encryption altogether (causing problems for the Facebook app access, because
Facebook wants HTTPS), and fixed things this morning...

Scream if something is still going wrong for you.

(I did notice that direct login to the forum doesn't work anymore, this will be fixed)

Patrick

Author:  danvijan  [ Mon Feb 04, 2013 4:37 pm ]
Post subject:  Re: some site security changes

pnm wrote:
Scream if something is still going wrong for you.

Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid.
The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem?

Author:  pnm  [ Mon Feb 04, 2013 4:51 pm ]
Post subject:  Re: some site security changes

danvijan wrote:
Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid.
The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem?

What do you see when you click on the "lock" to the left of the URL in the address bar?

This is what I see in Chrome:
Image

Author:  danvijan  [ Mon Feb 04, 2013 9:22 pm ]
Post subject:  Re: some site security changes

Since nobody else seem to have that problem I guess it's something with my computer. I'll send you an email with the print screen.
Thanks.

Author:  beaker  [ Mon Feb 04, 2013 10:40 pm ]
Post subject:  Re: some site security changes

Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken

Author:  pnm  [ Mon Feb 04, 2013 10:55 pm ]
Post subject:  Re: some site security changes

beaker wrote:
Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken

Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)?
(so with http, not https)

I'm seeing the same error here running Internet Exploder 8 under Windows XP (which is what you're using),
but not when using Firefox (for example) under XP.

I'm not sure yet, but it's possible that because IE8 is too old, it doesn't know about "StartCom"'s certificates
(the company that I got a (free) certificate from).

Patrick

Author:  beaker  [ Tue Feb 05, 2013 2:59 am ]
Post subject:  Re: some site security changes

pnm wrote:
Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)?
(so with http, not https)


At the top it reads "http://calcudoku.org" (sorry, didn't register the question in my "old" brain)

Got on to the site with the same warning but once on, every thing was normal speed (question: if the computer is cold not warm due to ambient temperatures, will its response be slower......always occurs in the AM before the room warms up but rarely in the PM after room is warmer!!??)

Also, I don't get the warning until I try to log in.......but once I have, the warning vanishes.

Page 1 of 2 All times are UTC + 1 hour [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/