• Most votes
  • Most comments
  • Newest
  • Activity
  • Showing only topics with the tag "security". Back to normal view
    1. Passwords

      This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to...

      This will probably be controversial, but I disagree with the current password policy. Checking against a list of known broken passwords sounds like a good idea, but that list is only ever going to get bigger. The human factor has to be taken into account. People are going to reuse passwords. So whenever their reused password gets hacked from a less secure site, it's going to add to that list.

      Ideally, a password would be unique. Ideally, users should maybe ever use a password manager that generates garbage as a password that no one could hack. An ideal world is different from reality. Specific requirements are going to lead to people needing to write things down. In the past, that was on paper, like Wargames. Now, it's going to lead to people pasting their username and login into text documents for easy reference. That's probably what i'm going to have to do. Was my previous method of reusing passwords safe? No. Will my new method of remembering passwords be safe? Probably not either.

      I'm not entirely sure what all the account security is about, either. For my bank, sure, a complex password. I have a lot to lose there. For an account on a glorified message board? There's better ways to establish legitimacy. 4chan, of all places, dealt with this (nod to 2chan), by having users enter a password after their username that got encoded and displayed as part of their username to verify that they were, in fact, the same user.

      So the topic for discussion would be, what's the endgame here? Where is the line drawn between usability and security? I may well be on the wrong side of this, but I think it's worth discussing.

      Edit: I think there may be some good reasons, evidenced in this reply. I think it was a good discussion none the less, since it wasn't obvious to me and perhaps not to other people.

      Edit 2: I'm going to hop off, but I think there's been some good discussion about the matter. As I said in the original post "I may well be on the wrong side of this". I may well be, but I hope I have addressed people well in the comments. Some of my comments may be "worst case" or "devil's advocate" though. I understand the reason for security, as evidenced above, but i'm unsure about the means.

      17 votes
    2. I was reading over tildes' privacy policy and saw that passwords are stored hashed, but are they salted as well?...

      I was reading over tildes' privacy policy and saw that passwords are stored hashed, but are they salted as well?

      https://defaultnamehere.tumblr.com/post/163734466355/operation-luigi-how-i-hacked-my-friend-without#fnref:salted

      not that tildes is big enough atm to have big public database breaches, but in the future it's a good idea to store passwords with a secure salting system, especially to help users that might have common passwords like "Diane" in the Tumblr post.

      27 votes
    3. I’m still in awe of what’s happening here and wish I had a crystal ball to see the change this type of community will drive in broader social discourse. If that goal is realized, there will be...

      I’m still in awe of what’s happening here and wish I had a crystal ball to see the change this type of community will drive in broader social discourse. If that goal is realized, there will be very sophisticated folks looking to disrupt that progress.

      As a security guy (especially in light of Reddit’s recent announcement) I had a few questions!

      1.) How open are we to integrating some type of optional 2FA for users? Maybe a simple TOTP integration?
      2.) Are the admins of the site implementing the right amount of fundamental controls for the backend? I’m 100% happy to provide thoughts on this if necessary! The decisions you make now, could impact us 5-6 years from now. And they’re oh-so-easy to change this early :-D.

      16 votes
    4. I'm sure as tildes gets bigger, security will continue to be a matter of discussion. The dev GodEmperors of tildes have (quite awesomely) taken a big position on security already by disallowing...

      I'm sure as tildes gets bigger, security will continue to be a matter of discussion.

      The dev GodEmperors of tildes have (quite awesomely) taken a big position on security already by disallowing breached passwords from being used.

      I'm not much of a hacker myself, but it's an armchair interest and I'm sure others more skilled would love to be able to give back to Tildes and help keep the site as secure as possible.

      What's the policy on bug hunting, and searching for exploits?

      Thanks!

      14 votes
    5. A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome...

      A lot of the newer websites and services now offer 2FA so I was wondering if Tildes has any plans to do that? No idea how hard it would be to implement but I feel like that would be a welcome addition for many people.

      I'd also be happy to hear people's thoughts on this an if you guys think the website actually needs this. In my mind more security is always better than less security.

      37 votes
    6. While reading up on what it takes to run this site, it just occurred to me that the site is hosted on one server with one network connection. Adding a CDN or cloud based DDOS protection would run...

      While reading up on what it takes to run this site, it just occurred to me that the site is hosted on one server with one network connection. Adding a CDN or cloud based DDOS protection would run contrary to the "no third party" thing we've got going on here, so that doesn't seem like an option.

      So I got to wondering, what would happen if a malicious actor were to sic a botnet on us? I imagine the outcome would not be good. Do we have any strategies to deal with this?

      9 votes
    7. This is of course already possible with base 64 encoding and some work on the user's side, but adding the ability to encrypt messages as a native feature would better encourage this as a security...

      This is of course already possible with base 64 encoding and some work on the user's side, but adding the ability to encrypt messages as a native feature would better encourage this as a security measure. This is a standard feature on a lot of darknet markets. Tildes could allow users to upload a public GPG key. Then a private key could be held entirely client-side in session storage to be used by JavaScript.

      This feature would probably add too much complexity to the site's simplistic front end. But I'd be interested to have a discussion on the pros/cons.

      6 votes
    8. Password Reset

      I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting...

      I don't need to reset my password, and I really appreciate the way that it is done to maximize anonymity. However, I think there is a bit of a problem with how it is done in terms of users getting locked out.

      If you're locked out, as far as I can tell, there is no way to view the email hint associated with your account. It seems a bit counter intuitive to me that in order to see the hint for how to regain access to your account, you have to already have that access! I also think that it won't work in the case that someone has been away for a few months and has forgotten their password. I'm not sure what a good way of displaying the hint would be, however, since if it is done by username anyone who has seen your posts can look at your password hint.

      Hopefully with a bit of discussion we can cook something up that can solve this catch 22!

      11 votes
    9. Hi! Something I've been wondering, is Tilde planned to eventually have a bug bounty program or something like that for security flaws in the future? Edit: RIP, forgot to separate those tags with...

      Hi! Something I've been wondering, is Tilde planned to eventually have a bug bounty program or something like that for security flaws in the future?

      Edit: RIP, forgot to separate those tags with commas...

      7 votes
    10. As can be seen in this post in ~test it is possible to secretly refer to another webpage than the one actually typed. It's not the biggest priority as of now, but it would be nice to see this...

      As can be seen in this post in ~test it is possible to secretly refer to another webpage than the one actually typed. It's not the biggest priority as of now, but it would be nice to see this fixed before Tildes will go live.

      In case the ~test post gets deleted, here's an example:
      https://innocent.site/

      7 votes
    11. Warrant Canary

      Hey, Just a thought. I'm not sure what the legal standing of warrant canaries (i.e. being compelled to lie) are in Canada, but given the privacy level afforded by the site the key component to...

      Hey, Just a thought. I'm not sure what the legal standing of warrant canaries (i.e. being compelled to lie) are in Canada, but given the privacy level afforded by the site the key component to that privacy is trust.

      You're doing a lot to make sure private data is treated as harmful, and with the open source code being visible, but that's still not a guarantee that the server is actually running the code that will be open sourced.

      Tildes could probably benefit from a warrant canary given that it's a platform for user generated content and if it gets prominent enough it may be subject to LEO scrutiny. Compliance with LEO is a given since the website operates under Canadian Jurisdiction, but given the... nature of some requests (Gag Orders / Etc...) a canary could be a privacy positive move for users of Tildes.

      7 votes