Wedge

Public area => The Pub => Topic started by: Arantor on November 5th, 2012, 05:59 PM

Title: Hardening admin security
Post by: Arantor on November 5th, 2012, 05:59 PM
Another random idea.

So, when you go into the admin panel, moderation panel or editing other users' profiles, you're required to revalidate your password for one hour.

Not so much the moderation panel or profiles, but for the admin panel, what if instead of re-entering your password, it sent you an email with a one-time use code, on provision of which you would get access to the admin panel?

Same deal otherwise - revalidate an hour later. But that it is something a bit stronger than just your password. Reason that I suggest this, is if you have someone trying to force their way into the admin panel, they would have to do more than just brute force your password. (Quite a bit more, really)

Of course, it would be disabled by default, mostly for those of us on WampServer or whatever who don't have email servers set up ;) - if you already have access to the database anyway to be able to change this you're already powerful enough.
Title: Re: Hardening admin security
Post by: Anthony` on November 5th, 2012, 10:52 PM
This is a great idea. It's not very often hackers have access both to an admin password and the person's e-mail account (atleast in my experience).
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 12:55 AM
I know you don't like Google, but I'd suggest Google Aithenticator API (open source) :D
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:03 AM
I *really* don't like that idea. Not just because I find Google increasingly creepy, but because I find the idea of turning admin control of a site over to a third party for 'authentication'.
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 01:13 AM
Well, there could be a manual option to disable it (editing config file) if there are problems (and switch back to the "normal" method). This wouldn't decrease security because to disable it an attacker should have FTP access (and if it has it it knows also db password..)

edit: anyway, also big sites started using it, such as Dropbox and Amazon web services ;)
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:14 AM
There would still have to be a manual method, in case of email troubles anyway. But this just seems to be including a whole level of extra stuff just for the sake of using "Google Authenticator" when 95% of the effect can be achieved for a fraction of the effort.

If you're running a forum, you already got email.
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 01:18 AM
Oh, talking about extra stuff and effort in including it I can't speak. I can only report that it's extremely comfortable (I use it for quite a bit of services) and as my edit said, also big projects are starting to use it (Dropbox, AWS).
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:24 AM
How is it more comfortable to use than clicking on a link in an email?
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 01:34 AM
Quote from Arantor on November 6th, 2012, 01:24 AM
How is it more comfortable to use than clicking on a link in an email?
You don't need to have sendmail() enabled or postfix/exim installed.. and it's more modern than email links (that look so.. old style! :P)
For the user POV, he doesn't need to remove the emails from his inbox! If he logs in often he would have the inbox full
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:36 AM
Aside from the fact I already said it would be disableable anyway (including by default), a forum that's running without email facilities is likely to be limited anyway...

Being honest, I get annoyed with this sort of suggestion, because it just makes me feel like I shouldn't try to have ideas because they all end up leading back to the fecking Google monster in some fashion. All I'm hearing is "Whatever your idea is, it's cute but it would be better with Google." Maybe I'm just taking it less than wonderfully but that's how I'm seeing it right now. It reminds me of the vBulletin vs XenForo video where the one side is reduced to saying "But we have Kier Darby" as an argument technique.

Can't be arsed to make this core because providing something like this in the core is going to cause more problems than it would save - Google tentacles notwithstanding.
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 01:41 AM
Maybe you're right about Google's tentacles, but I think that in this case they're not being.. "evil". :P
It's an open source project, they're not inserting any strange code (iframe, js or other).
Anyway it's your choice, I'm not pretending anything (of corse) :)
Just talking
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:50 AM
Quote
It's an open source project, they're not inserting any strange code (iframe, js or other).
Please tell me you're not that naive. It's not about inserting ads. It's a way of tracking you. They know what you're logging into. They could even perform a type of MITM attack on you if they wanted.

On a similar note, Google Analytics isn't about advertising to you, it's about tracking you, watching where you go. If they know where you're going, what you're logging into (bearing in mind you're tying it to a Google account, no less), they're going to advertise to you more like that on their other services. Everything goes towards bolstering their profile of you.
Title: Re: Hardening admin security
Post by: godboko71 on November 6th, 2012, 01:51 AM
I like the idea of email, heck even a text would be cool too. No need for Google's involvement. 
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:54 AM
Of course a text would be cool. Let me know when you figure out how to send a text from off the shelf web hosting.
Title: Re: Hardening admin security
Post by: godboko71 on November 6th, 2012, 01:56 AM
Well if you know the carriers @whatever you could just sent an email to that phonenumber + @whatever. Email is plenty though no need for texts either :P
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 01:57 AM
That assumes you can figure out the carrier from the phone number. Oh, and it doesn't work on all carriers. Mucho headache involved. (Been there, done this.)
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 01:58 AM
I know, I was referring to tracking when I said iframe or JavaScript. I think I know a lot about Google's tracking. I saw 1+ hour of a conference of a guy called Matteo Flora, who studied for a while Google's tracking methods and published a lot about it. Summing all Google's method to track users, he ended up that 99,7% of all the websites are "analyzed" by Google in some ways (Analytics, Adwords, google DNS, Firefox's search bar and a lot of others). So, it's almost no info for Google that X user admins X forum, they already know it! And, likely, in the domain WhoIs there's also your home address :P
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 02:01 AM
He said that '99.7% of all the websites are analysed', what does that even mean? It doesn't actually mean anything, because it's not about the sites, it's about the users...

And it's also not about what you think it is... so what if Google has my home address from my domain records? That's of no use unless you can validate that it is me browsing, or that the person browsing from a given IP address (or with relevant cookies) is a certain person, whose habits you already know and can serve up appropriate ads. What information you think you have and what you give Google is almost certainly not what you think.

If you genuinely understood the risks that Google poses to privacy, you wouldn't be recommending them at all.
Title: Re: Hardening admin security
Post by: godboko71 on November 6th, 2012, 02:02 AM
Quote from Arantor on November 6th, 2012, 01:57 AM
That assumes you can figure out the carrier from the phone number. Oh, and it doesn't work on all carriers. Mucho headache involved. (Been there, done this.)
Oh I know, though since its for admins it could be a phone number field and a dropdown with supported carriers. Would have to be a plug in (not for you to make just a general thought haha) though not core to much to keep up with and not a wide enough support net to worry about being in core.
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 02:03 AM
*shrug* I gave up worrying about this being in core earlier this thread when I realised the hassle it would actually cause, because if I make it core, it's going to screw users over who shouldn't be using it, and it's only going to lead to more of the above in this thread, namely 'Why don't you use <third party service>' which would send any sane administrator running for the hills.
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 02:11 AM
Quote from Arantor on November 6th, 2012, 02:01 AM
He said that '99.7% of all the websites are analysed', what does that even mean? It doesn't actually mean anything, because it's not about the sites, it's about the users...
It's actually the same. They just need you to be logged in on one site they have their code in and they can easily associate your IP with some data (username, name and in their best case, email).
Posted: November 6th, 2012, 02:08 AM

I'm just saying this:
If you're concerned about your data, you can switch back to "normal authentication". If you're already using some Google service and/or a smartphone with location services and/or adding your data to a website that use Adwords, Analytics and so on, it's not a big deal to tell google you're the admin of X forum. If you're using these services/sites and you're concerned about your privacy, you should rethink your way of being online
Title: Re: Hardening admin security
Post by: Arantor on November 6th, 2012, 02:13 AM
No, it's not the same. Apart from the fact you have no idea whether he's referring to pages or entire sites or not, or his sample size - 99.7% of 1000 sites polled might reveal interesting results depending on what the 1000 sites were, assuming he even went to 1000 sites to collect that data.

I'm also pretty sure Google doesn't track me very well, because I value my privacy... Getting a little off topic but I'm willing to keep arguing about this if you are.
Quote
If you're concerned about your data, you can switch back to "normal authentication". If you're already using some Google service and/or a smartphone with location services and/or adding your data to a website that use Adwords, Analytics and so on, it's not a big deal to tell google you're the admin if X forum.
Or you could just not install this in the first place since there was precisely zero chance of it ever becoming core using Google, slim enough chance of even the lesser variety being a core feature, but I value a simpler life, so maybe someone else can implement this idea instead of me.
Title: Re: Hardening admin security
Post by: Anthony` on November 6th, 2012, 02:18 AM
In my opinion, I don't think implementing Google Authenticator as a core feature is really appropriate. If anything, a plugin would probably be more suitable.
Title: Re: Hardening admin security
Post by: MultiformeIngegno on November 6th, 2012, 02:25 AM
Quote
If you're already using some Google service and/or a smartphone with location services and/or adding your data to a website that use Adwords, Analytics and so on, it's not a big deal to tell google you're the admin of X forum. If you're using these services/sites and you're concerned about your privacy, you should rethink your way of being online
I think that it's important to understand what implies what. It's important that people know how to protect their privacy. I'm saying this:
if you're concerned about some info, nowadays you have to have some technical knowledge. I don't know the % of gmail market share, but it's huge. Now think about the normal user, they go to google, search for something always from the same pc, than maybe use youtube or their phone to look for a route. Google already started gathering your data (about location too if you use your phone).
Also if you use google without logging in on one of their services, then maybe you login on a forum that use adsense, they won.
What I'm saying is that it's really DIFFICULT to hide.
You should be an aknowledged user to do that! And an aknowledged user would know how to disable this method with the manual way.