View unanswered posts | View active topics It is currently Thu Mar 28, 2024 1:43 pm



← Back to the Calcudoku puzzle page




Reply to topic  [ 13 posts ]  Go to page 1, 2  Next
 some site security changes 
Author Message
User avatar

Posted on: Sun Feb 03, 2013 1:38 pm




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
 some site security changes
Some other changes, with no visible effect though:

- a fix to the "obfuscator" program that "muddles up" the Javascript code that runs the page
(the goal here is to make it difficult for people to copy and reuse the software that runs the page)

- an improvement to the password encryption method: I already was using a highly rated "hashing"
function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords
are stored with a "salt" value, which is different for every user (!). In practice this means that should
the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to
recover even a single user password

Compare this to what big companies do, who don't give a **** about security and your privacy, as long as
you don't find out about it (LinkedIn, Adobe, eHarmony, Last.fm, etc.):
6.5 Million Encrypted LinkedIn Passwords Leaked Online
Adobe hacked, passwords posted online
eHarmony confirms breach, about 1.5 million passwords stolen

Patrick

Edit: the password update broke the automatic forum login, this should be fixed now.


Profile

Posted on: Sun Feb 03, 2013 10:54 pm




Posts: 106
Joined: Sat May 14, 2011 1:08 am
Post Re: February changes
pnm wrote:
- an improvement to the password encryption method: I already was using a highly rated "hashing"
function to encrypt your passwords (called "whirlpool"). The improvement is that now the passwords
are stored with a "salt" value, which is different for every user (!). In practice this means that should
the server/database be compromised by a hacker, it'll still be very difficult and time-consuming to
recover even a single user password

Yes, but you are still sending the password over the net in the clear instead of using https.


Profile
User avatar

Posted on: Sun Feb 03, 2013 11:05 pm




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
Post Re: February changes
mparisi wrote:
Yes, but you are still sending the password over the net in the clear instead of using https.

True, true, so a password could still be intercepted "on the wire".

I should fix that too, for completeness sake.

Patrick


Profile
User avatar

Posted on: Mon Feb 04, 2013 12:40 pm




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
Post Re: some site security changes
(moved this to a separate thread, as you can see)

Ok, the login, signup, reset password, and validate pages now all use HTTPS (i.e. an encrypted connection),
so that's covered now as well :-)

In principle this was a small fix (automatically redirect login and signup to HTTPS, change references
on the page to HTTPS), but it turned into a bit of a nightmare:
After making the change, I got security warnings from the browser. When checked the encryption certificates
for the site, I found that one of them had expired. Something went wrong when installing an updated certificate,
causing the web server itself to not restart (which is why the site was out for about 20 minutes last night,
around 22.00 CET :-( ). I disabled encryption altogether (causing problems for the Facebook app access, because
Facebook wants HTTPS), and fixed things this morning...

Scream if something is still going wrong for you.

(I did notice that direct login to the forum doesn't work anymore, this will be fixed)

Patrick


Profile

Posted on: Mon Feb 04, 2013 4:37 pm




Posts: 19
Joined: Fri May 13, 2011 10:46 am
Post Re: some site security changes
pnm wrote:
Scream if something is still going wrong for you.

Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid.
The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem?


Profile
User avatar

Posted on: Mon Feb 04, 2013 4:51 pm




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
Post Re: some site security changes
danvijan wrote:
Yes, I have a problem logging-in via Chrome. Something about a certificate not being valid.
The start-up page loads OK but when I hit the "login" button the error apears. Any other Chrome users experience the same problem?

What do you see when you click on the "lock" to the left of the URL in the address bar?

This is what I see in Chrome:
Image


Profile

Posted on: Mon Feb 04, 2013 9:22 pm




Posts: 19
Joined: Fri May 13, 2011 10:46 am
Post Re: some site security changes
Since nobody else seem to have that problem I guess it's something with my computer. I'll send you an email with the print screen.
Thanks.


Profile

Posted on: Mon Feb 04, 2013 10:40 pm




Posts: 931
Location: Ladysmith, BC, Canada
Joined: Fri May 13, 2011 1:37 am
Post Re: some site security changes
Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken


Profile
User avatar

Posted on: Mon Feb 04, 2013 10:55 pm




Posts: 3296
Joined: Thu May 12, 2011 11:58 pm
Post Re: some site security changes
beaker wrote:
Patrick: I am getting "Certficate Error" and the computer won't allow access to the site unless I scroll down to where it says (more or less) "continue at own risk"........which I do and then the url address appears in red along with the notification of Certicate Error and then I can't login....I'll hit enter on the "login" but nothing happens for quite a long time and when I do finally get in to the site any numbers entered into a puzzle take "forever" to register on the screen....thank goodness for the iPad as it has allowed me to access the site but it is difficult to work with as the numbers are soooo small even with reading glasses......Ken

Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)?
(so with http, not https)

I'm seeing the same error here running Internet Exploder 8 under Windows XP (which is what you're using),
but not when using Firefox (for example) under XP.

I'm not sure yet, but it's possible that because IE8 is too old, it doesn't know about "StartCom"'s certificates
(the company that I got a (free) certificate from).

Patrick


Profile

Posted on: Tue Feb 05, 2013 2:59 am




Posts: 931
Location: Ladysmith, BC, Canada
Joined: Fri May 13, 2011 1:37 am
Post Re: some site security changes
pnm wrote:
Is the link that's shown at the top of the puzzle page: http://www.calcudoku.org (or http://www.calcudoku.org/en)?
(so with http, not https)


At the top it reads "http://calcudoku.org" (sorry, didn't register the question in my "old" brain)

Got on to the site with the same warning but once on, every thing was normal speed (question: if the computer is cold not warm due to ambient temperatures, will its response be slower......always occurs in the AM before the room warms up but rarely in the PM after room is warmer!!??)

Also, I don't get the warning until I try to log in.......but once I have, the warning vanishes.


Profile
Display posts from previous:  Sort by  
Reply to topic   [ 13 posts ]  Go to page 1, 2  Next

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
All forum contents © Patrick Min, and by the post authors.

Forum software phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware.