Re: Fwd: storing and using sensitive data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 9 August 2021 07:40:54 BST, Rene Veerman <rene.veerman.netherlands@xxxxxxxxx> wrote:
>Good morning, all..
>
>upon closer inspection of the couchdb.apache.org docs and the PHP code to
>access it with (https://github.com/skeyby/sag),
>i've found that i can indeed
>(A) shield couchdb from the outside world by allowing only LAN ip-address
>access to it
>(B) use nginx to provide SSL access (using the free certbot app) to apache2
>serving up SSL for my https://github.com/nicerapp/nicerapp code
>(C) use the couchdb cookie authentication scheme[1]&[2] to let my
>nicerapp/boot.php provide hash-login based access to couchdb and the rest
>of my CMS, by "relaying" the appropriate hashed couchdb login cookie
>nicerapp/boot.php uses https://github.com/gbirke/rememberme and the
>fore-mentioned Sag library to prevent plaintext passwords (to the db) from
>needing
>to be used more than once per session, with the session length being
>variable in both php and couchdb, or needing to store any plaintext
>password anywhere.
>(D) encrypting all sensitive user data with the 'derived_key' from the
>user's account record in couchdb
>
>[1] see https://docs.couchdb.org/en/stable/intro/security.html and the docs
>for 'public_fields', 'require_valid_user', 'secret' and 'timeout' at
>https://docs.couchdb.org/en/stable/config/auth.html#config-couch-httpd-auth
>[2] https://github.com/skeyby/sag/blob/master/src/Sag.php public function
>login
>
>i'll be sure to read all docs provided at
>https://cheatsheetseries.owasp.org/ as well, and integrate them into my
>code.
>for milestone-1 that's still fairly easy to do, because there isn't a whole
>lot of db-access code to it.
>
>milestone-1 for my https://github.com/nicerapp/nicerapp MIT-licensed (
>https://opensource.org/licenses/MIT) CMS will include :
>- very fast bootup time (a fiber internet connection for your server is
>advised in case you'll be using HD or 4K backgrounds instead of initially
>using tiled backgrounds)
>- page loading without white-blanking-screen page refreshes
>- tiled, photo, and youtube video background support (although video
>backgrounds are currently disabled on my https://nicer.app demo site, by
>youtube.com, which i intend to rectify by contacting their support
>department about it this week)
>- server-operator ("customer") CSS loading and DIV loading for the main
>template
>- an very easy-to-use (and documented) apps plugin structure plus URL
>translation
>- users and groups, with access permissions checked by the nicerapp PHP
>code on the server
>- blogging features with tinymce.moxiecode.com as the rich text editor
>- nested-folders photo-album uploads (using the sturdy plupload component,
>and the jstree component to display the sub-folders)
>- an mp3 music player that can translate a whole folder with mp3 files into
>a pretty representation of an artist's works
>- basic IMAP webmail functionality, with full ingoing and outgoing HTML
>support and many fonts to choose from (courtesy of fonts.google.com)
>- a visual theme editor for the site, all apps, and all pages.
>
>milestone-2 will include :
>- webmail attachment handling, fire-and-forget server-based webmail
>synchronization into the much faster couchdb encrypted storage of emails
>(and their attachments on the server disk), and POP mail server support
>- instant messaging support (for dating sites and social media sites)
>- additional social media features (although i dont want to make an exact
>facebook clone, like i didn't want to make an exact gmail clone)
>- (possibly!) forum features
>- (possibly!) web-commerce features (using adyen, most likely)
>
>i didn't write all this as just an ad for my software.
>i wrote it so you all can think of what features *you'd* like to see in my
>CMS, and inform me about that on this mailing list or in a private email..
>
>i thank you for all the help you've provided to make nicerapp more secure,
>and lastly, i'll have you know that milestone-1 will be finished in
>probably no more than a month from now, 2 months tops.
>
>have a nice day, everyone :)
>
>On Sun, Aug 8, 2021 at 11:54 PM Pascal Schorde <pascal.schorde@xxxxxxxxx>
>wrote:
>
>> a good starting point to read up is https://cheatsheetseries.owasp.org/
>>
>> Am So., 8. Aug. 2021 um 22:29 Uhr schrieb Ashley Sheridan
>> <ash@xxxxxxxxxxxxxxxxxxxx>:
>> >
>> >
>> > On 08/08/2021 17:56, Rene Veerman wrote:
>> >
>> > darn, i spoke too soon.
>> >
>> > the rememberme plugin may store only a hashed cookie value for the
>> password,
>> > but no matter how, every time a new session is started, i need the
>> plaintext password to establish connections to the database.
>> > that's whether i use the db cookie auth tech or not.
>> >
>> > so i'm basically looking for a more secure way to store a plaintext
>> password than storing it on disk with chmod 770 and chown rene:www-data...
>> >
>> > On Sun, Aug 8, 2021 at 6:26 PM Rene Veerman <
>> rene.veerman.netherlands@xxxxxxxxx> wrote:
>> >>
>> >> nvm!! :) :)
>> >>
>> >> my db (couchdb.apache.org) supports cookie authentication, which is
>> like the rememberme PHP plugin, just another hash value transmitted! :)
>> >>
>> >> looks like i have an actually secure setup for my
>> https://github.com/nicerapp/nicerapp by tomorrow morning :D
>> >>
>> >> On Sun, Aug 8, 2021 at 6:13 PM Rene Veerman <
>> rene.veerman.netherlands@xxxxxxxxx> wrote:
>> >>>
>> >>> well, i ran into a major snag.
>> >>> https://github.com/gbirke/rememberme doesn't store plaintext
>> passwords, but i do need a plaintext password to gain access to the
>> database that i'm using.
>> >>> it's a real chicken-and-egg problem i'm afraid.
>> >>>
>> >>> i suppose i could store the plaintext password in a file on the server
>> which i'd read into / store in $_SESSION once a user has succesfully logged
>> in by providing the username and password, or when the user is logged in
>> with a rememberme cookie, which would give me only the username to get to a
>> username->plaintext password file protected with chmod 770 and chown
>> rene:www-data...
>> >>> but i have serious reservations about security when using a scheme
>> like this. ubuntu security holes in apache2 and/or PHP happen just about
>> every 2 years, when the ubuntu.com guys focus on making a new major
>> release, and i since i'm storing more than just theme settings (IMAP
>> credentials and passwords for my webmail app), i'm hoping someone here can
>> point me to a more secure solution..
>> >>>
>> >>> On Fri, Aug 6, 2021 at 9:52 PM Ashley Sheridan <
>> ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>> >>>>
>> >>>>
>> >>>> On 06/08/2021 16:42, Rene Veerman wrote:
>> >>>>
>> >>>> Rene Veerman 5864 Original Poster
>> >>>> 9 min
>> >>>> eh, on windows 10, my username and password *are* filled in by
>> autofill.
>> >>>>
>> >>>> but on my development machine, a kubuntu installation, it does not.
>> >>>>
>> >>>> i hope this is of help to google support..
>> >>>> Rene Veerman 5864 Original Poster
>> >>>> 4 sec
>> >>>> nvm! fixed by following the advice listed at
>> https://askubuntu.com/a/1185476 :)
>> >>>>
>> >>>> ---------- Forwarded message ---------
>> >>>> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
>> >>>> Date: Fri, Aug 6, 2021 at 1:05 PM
>> >>>> Subject: Fwd: storing and using sensitive data
>> >>>> To: PHP General <php-general@xxxxxxxxxxxxx>
>> >>>>
>> >>>>
>> >>>> FYI :
>> >>>> i've read
>> https://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach
>> which explains a lot of the pitfalls involved,
>> >>>> then i went searching for a library that does this for you, and found
>> https://github.com/gbirke/rememberme which appears to work great right of
>> the box.
>> >>>>
>> >>>> i'm now stuck at the autofill functionality.
>> >>>> my site https://nicer.app, with the login button at the top-left of
>> the pages, the middle icon on the right-side of the date-time indicator,
>> >>>> just won't autofill at all, other than offering a multitude of
>> previously used usernames, but i can't for the love of anything get it to
>> autofill the password field.
>> >>>>
>> >>>> this is the same for <input type="password" id="password"
>> name="password"> and <input type="password" id="current-password"
>> name="current-password">
>> >>>>
>> >>>> i could really use some help with that..
>> >>>>
>> >>>> ---------- Forwarded message ---------
>> >>>> From: Rene Veerman <rene.veerman.netherlands@xxxxxxxxx>
>> >>>> Date: Thu, Aug 5, 2021 at 6:30 PM
>> >>>> Subject: storing and using sensitive data
>> >>>> To: PHP General <php-general@xxxxxxxxxxxxx>
>> >>>>
>> >>>>
>> >>>> Hi.
>> >>>>
>> >>>> I'm building a webmail module for my MIT-licensed
>> https://github.com/nicerapp/nicerapp websites platform (CMS and more, see
>> https://nicer.app for a demo).
>> >>>>
>> >>>> I don't want to store end-user's email connection settings in plain
>> text on my server.
>> >>>>
>> >>>> I've read all of https://github.com/defuse/php-encryption,
>> understand most of it, but wonder if I can just encrypt the data using the
>> end-user's password, which gets verified by couchdb and as such is only
>> stored as a hash value in the database.
>> >>>>
>> >>>> Will my SSL connection setup, and the password stored in a cookie in
>> the end-user's browser, keep things safe enough to survive a
>> PHP/apache-based intrusion, which tends to open up every 2 years when the
>> guys at ubuntu.com prepare for a new release..
>> >>>>
>> >>>> With regards,
>> >>>>   Rene Veerman
>> >>>>
>> >>>>
>> >>>> Autofill tends to work based on the name and id of the field in
>> question, and this behaviour varies quite a bit between browsers and
>> operating systems. Have you looked at the `autocomplete` attribute (
>> https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete)
>> for that form element? In theory, you _should_ be able to set that to
>> "current-password" to trigger the autocomplete behaviour. However, this is
>> not a guarantee, it's just an attribute which suggests to the browser to do
>> that, not an instruction that the browser must follow.
>> >>>>
>> >>>> --
>> >>>> Ashley Sheridan
>> >>>> https://www.ashleysheridan.co.uk
>> >
>> > Whatever you do, you cannot store a password in plain text. This is
>> irresponsible, and illegal (because of what it's accessing and what other
>> information you've already said you would plan to hold on your users) in a
>> lot of places.
>> >
>> > Please, read up on encryption and apply it to your application.
>> >
>> > --
>> > Ashley Sheridan
>> > https://www.ashleysheridan.co.uk
>>

Given that it's available to the public then, have you considered accessibility concerns with your front end? 




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux