From alexm at alexm.org  Tue Sep 22 20:24:18 2015
From: alexm at alexm.org (Alex Muntada)
Date: Tue, 22 Sep 2015 20:24:18 +0200
Subject: [Act-dev] a few ideas for legacy Act
Message-ID: <20150922182418.GB2034@xps>

While there's people already taking care of future Act, I'm also
worried by legacy Act, both old, recent and current instances.
I just read in patch -p3 that we inscreased the bus factor to 2
people, which is great. I'm offering my help if you need it too.

That being addressed, my next worry is having a backup or slave
server. I think that this was also discussed in -p3 but I don't
know the details. I can offer a VM in my department premises in
www.ac.upc.edu for free.

The next idea is separating old instances (e.g. 2 years old) from
current and recent instances into a read-only server. And finally
having a loadbalanced or master/slave service for current and
recent instances.

Having a separate server for test instances was probably more
insteresting a while ago, but we now have the means to test our
changes in private Act boxes. I wouldn't spend much time on this
or maybe only in documenting and encouraging people to run their
own test instances and remove those from the production server.

I like the challenge of legacy systems and software and I think
that the migration path from legacy to future Act is a very
interesting use case that others can benefit from.

Cheers,
Alex

From alexm at alexm.org  Fri Sep 25 10:35:10 2015
From: alexm at alexm.org (Alex Muntada)
Date: Fri, 25 Sep 2015 10:35:10 +0200
Subject: [Act-dev] a few ideas for legacy Act
In-Reply-To: <20150922182418.GB2034@xps>
References: <20150922182418.GB2034@xps>
Message-ID: <20150925083510.GA15184@xps>

Alex Muntada:

> While there's people already taking care of future Act, I'm also
> worried by legacy Act, both old, recent and current instances.

Something I forgot to say and that I think it's pretty important
is adding TLS support to Act instances, starting with those in
act.yapc.eu.

Has been any previous discussion regarding this matter?

Cheers,
Alex

From philippe.bruhat at free.fr  Fri Sep 25 22:16:45 2015
From: philippe.bruhat at free.fr (Philippe Bruhat (BooK))
Date: Fri, 25 Sep 2015 22:16:45 +0200
Subject: [Act-dev] a few ideas for legacy Act
In-Reply-To: <20150925083510.GA15184@xps>
References: <20150922182418.GB2034@xps>
 <20150925083510.GA15184@xps>
Message-ID: <20150925201645.GE2532@zok>

On Fri, Sep 25, 2015 at 10:35:10AM +0200, Alex Muntada wrote:
> Alex Muntada:
> 
> > While there's people already taking care of future Act, I'm also
> > worried by legacy Act, both old, recent and current instances.
> 
> Something I forgot to say and that I think it's pretty important
> is adding TLS support to Act instances, starting with those in
> act.yapc.eu.
> 
> Has been any previous discussion regarding this matter?

There was no discussion about it.

Yes, the cookie is transmitted with every request, and I know very well
that it can be used to steal sessions... I know because I do it from time
to time, to help users. The only difference is that I pick the session
id from the database directly. ;-)

Only the payments are done over HTTPS, because that part is obviously
handled by the bank. We have no payment information, other than the fact
that the payment for a given order number that we put in the database
has been accepted by the bank.

My memories from the Act hackathon of 2014 is that a bigger security
issue is the hash we use for storing the password information. It is
not very strong. One participant had a proposal for fixing that, but
I don't remember what happened with it.

-- 
 Philippe Bruhat (BooK)

 History is made by the winners and written by those with the loudest voices.
                                    (Moral from Groo The Wanderer #10 (Epic))

From th.j.v.hoesel at gmail.com  Fri Sep 25 23:12:39 2015
From: th.j.v.hoesel at gmail.com (Theo Van Hoesel)
Date: Fri, 25 Sep 2015 22:12:39 +0100
Subject: [Act-dev] a few ideas for legacy Act
In-Reply-To: <20150925201645.GE2532@zok>
References: <20150922182418.GB2034@xps> <20150925083510.GA15184@xps>
	<20150925201645.GE2532@zok>
Message-ID: <C4FD50C1-2289-441E-A9EA-014B0F38C654@gmail.com>

On the otherhand... 

Act-Voyager requires the REST-api to run over HTTPS, and has username/password sent with 'unsafe' methods (that has nothing to do with HTTPS) ... but that had not yet been switched on for it

Sent from my iPhone

> On 25 Sep 2015, at 21:16, Philippe Bruhat (BooK) <philippe.bruhat at free.fr> wrote:
> 
>> On Fri, Sep 25, 2015 at 10:35:10AM +0200, Alex Muntada wrote:
>> Alex Muntada:
>> 
>>> While there's people already taking care of future Act, I'm also
>>> worried by legacy Act, both old, recent and current instances.
>> 
>> Something I forgot to say and that I think it's pretty important
>> is adding TLS support to Act instances, starting with those in
>> act.yapc.eu.
>> 
>> Has been any previous discussion regarding this matter?
> 
> There was no discussion about it.
> 
> Yes, the cookie is transmitted with every request, and I know very well
> that it can be used to steal sessions... I know because I do it from time
> to time, to help users. The only difference is that I pick the session
> id from the database directly. ;-)
> 
> Only the payments are done over HTTPS, because that part is obviously
> handled by the bank. We have no payment information, other than the fact
> that the payment for a given order number that we put in the database
> has been accepted by the bank.
> 
> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.
> 
> -- 
> Philippe Bruhat (BooK)
> 
> History is made by the winners and written by those with the loudest voices.
>                                    (Moral from Groo The Wanderer #10 (Epic))
> _______________________________________________
> Act-dev mailing list
> Act-dev at mongueurs.net
> http://listes.mongueurs.net/mailman/listinfo/act-dev

From alexm at alexm.org  Mon Sep 28 15:59:26 2015
From: alexm at alexm.org (Alex Muntada)
Date: Mon, 28 Sep 2015 15:59:26 +0200
Subject: [Act-dev] a few ideas for legacy Act
In-Reply-To: <20150925201645.GE2532@zok>
References: <20150922182418.GB2034@xps> <20150925083510.GA15184@xps>
	<20150925201645.GE2532@zok>
Message-ID: <20150928135926.GA13296@xps>

Philippe Bruhat (BooK):

> Yes, the cookie is transmitted with every request, and I know very well
> that it can be used to steal sessions... I know because I do it from time
> to time, to help users. The only difference is that I pick the session
> id from the database directly. ;-)

Cookie stealing is a concern that could be solved through TLS but
password stealing is also worrying. I know that some Act users
request a new password each time they want to log in but this
trick doesn't solve the security issue either because the new
password can be stolen too.

> My memories from the Act hackathon of 2014 is that a bigger security
> issue is the hash we use for storing the password information. It is
> not very strong. One participant had a proposal for fixing that, but
> I don't remember what happened with it.

I see that lib/Act/Auth.pm, lib/Act/Handler/User/ChangePassword.pm and
lib/Act/Util.pm use Digest::MD5 without salt.

Digest::Bcrypt depends on Crypt::Eksblowfish::Bcrypt, which needs XS
support. I will try if it works in spectre before attempting to add
support for it in Act.

Cheers,
Alex