Security at Vialect is addressed in the following categories:
Author Archives: TimL
Chrome bugs
Chrome Bugs:
- Version 37.0.2062.120 (and 39.0.2159.0 canary) inconsistently crash with "Aw, Snap!".
- Empty the cache, etc, and restart the browser.
- Send us your ids from chrome://crashes/ (Google keeps some bug reports private, but any IDs we are sent will be added as related to our report or one of the 72937 other outstanding chromium bugs).
- Version 40.0.2214.111 will not run functions if they have ever been called(onmouseover) from another window (iframe)
- reported as a regression.
- Version 44.0.2403.125 loses scope on deeply nested AJAX
- Version 50 Disabling "Use a prediction service to load pages more quickly" is advised to avoid incorrect redirects.
- Version 72+ web driver is not blocking and thus unusably buggy
- Version 84+ resets live CSS changes only when developer tools is open
- Version 85 writes it's own CSS instead of respecting dark mode
Solutions:
- Use Firefox.
- Upgrade
- avoid nested AJAX
local security
LAN security options for the server:
- Whole disk encryption (prevents bypassing security by reading the disk with another computer).
- Dedicated server (reduces exploitable surface area).
- Automated Linux updates
- Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
- ssh keys (prevents password guessing on ssh).
- IDS, and resource alerts
Network security
List of most to least secure ways of connecting to the Noodle service:
- On a network not (even indirectly) connected to the internet.
- online features will necessarily not work;
- upgrade button
- unsplash
- auto ssh
- etc
- online features will necessarily not work;
- On a network only indirectly connected to the internet.
- On a public network with a firewall or NAT port forwarding blocking all but one port.
- On a public network.
Public network security options:
- HTTPS
- DNS CAA records
- HTTP headers (content-security-policy, strict-transport-security, etc)
- White list
- Auto blacklisting enabled.
- "Session Security Level" to 4 (prevent session hijacking).
- IWA or 2 factor authentication.
- "Minimum password length" to 8 (make password guessing harder).
- Encrypted VPN or ssh tunnel.
- Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
Downgrading
- Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
- A new unwanted feature can often be made optional by adding a setting to disable it.
- To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
- If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
- If the second number in the version changes reverting the database structure will require a custom build.
Components 8
ActiveX components are not supported on anything after Windows 8.1 and Internet Explorer 11 or Edge.
Please use the built in editor for in place editing, and upgrade to Firefox or Chrome to use drag and drop.
pfx to pem
Windows example of converting a Tomcat SSL certificate to Apache :
keytool -storepass 123 -keystore noodle.pfx -export -alias domain.tld -rfc -file cert.pem keytool -storepass 123 -keystore noodle.pfx -export -alias root -rfc -file fullchain.pem openssl pkcs12 -in noodle.pfx -nocerts -nodes > privkey.pem
IE
Steps to make IE behave more like Chrome or Firefox:
Upgrade to version 11 (or 8 if on XP)
Reset IE:
- Tools>internet options>advanced>reset>check delete personal settings>reset
- close IE (all windows)
Make IE usable on windows server:
- Tools>internet options>advanced>uncheck
automatically recover from page errors with compatibility view - Tools>internet options>security>select trusted sites>set to low>sites>remove all the current sites and add the Noodle url.
- Tools>internet options>security>select trusted sites>set to low>custom level>scroll all the way down and disable "XSS filter"
- tools>compatibility view settings> remove and uncheck all.
Google mail and calendar
For mailto:
- Make sure you are on your Google Mail page.
- Copy/paste this into the address bar:
- javascript:navigator.registerProtocolHandler("mailto","https://mail.google.com/mail/?extsrc=mailto&url=%s","Gmail")
- Add the javascript: to the front again if it got automatically trimmed. Then hit enter.
For webcal:
- Make sure you are on your Google Calendar page.
- Copy/paste this into the address bar:
- javascript:navigator.registerProtocolHandler("webcal","https://www.google.com/calendar/render?cid=%s","Google Calendar")
- Add the javascript: to the front again if it got automatically trimmed. Then hit enter.
Single sign-on (SSO)
Noodle SSO can be setup with IWA, JWT, SAML, or for non managed users there are also options to store the password locally.
- Noodle setup for IWA.
- Noodle setup for JWT.
- Noodle setup for SAML.
- Add a web shortcut to the users startup, homepage, or desktop
- System Tools > Settings > Security > Permit Login via GET = yes
- https://$D/HandleLogin.po?user_name=$U&user_password=$P
- A link can be downloaded from the profile page.
- Use a cookie
- Enable the "Noodle > System Tools > Settings > User Settings > Remember my login information" feature
- This option will ask for a password if the user ever clicks logout.