Hosted:

  • Service includes any sub domain of intra.net.
  • Service includes use of any domains managed by 3rd parties.  Please use a DNS CNAME to the PTR of the server, and send us your HTTPS certificate is desired.

Local install:

  1. For assistance please contact your registrar and/or software suppler (NetBIOS is a limited alternative)
  2. Update the Noodle setting "System Tools > Settings > URL for Noodle"

Information about our hosted security:

  • Rackspace standards, and certifications.
  • Amazon standards, and certifications.
  • Google standards, and certifications.
  • Your data is not shared with anyone, and is only viewed by Vialect on your request.
  • Backups are taken daily for one day, and monthly for 3 years, encrypted, and stored in multiple cities. Optimal space conservation is used in favor of optimal recovery time.
  • Only the strong password protected ssh key of our security manager has full assess to hosted environments.
  • Stable Linux branches are used and security updates are evaluated or applied daily.
  • Data sovereignty; People who want to avoid government oversight should encrypt a local install and host the data with a less intrusive government.
  • Clients will be notified within a day if our Intrusion detection systems ever detect a security breach.
  • Application Security
  • regulation compliance

Please read this overview for a summary of applicable regulations.

    • ISO 27001
      • Compliant, not certified.
    • HIPAA
      • Not applicable as we do not store client health data.
      • Employees are covered by OHIP which exceeds USA standards.
    • Data Protection Directive / GDPR
      • Client implementation / usage dictates compliance.
      • Compliant by clients opting to represent Vialect in the EU.
    • C-28
      • Automated Noodle emails contain a one click unsubscribe link
    • PCI DSS
      • A local install is required to comply.
    • SOC 2
      • Compliant, not certified.

Please contact us if you have specific questions about regulation compliance.

Public network application security options:

  • SSL (prevent passwords collection from public wifi)
  • White list (prevent application inspection from known hostile networks)
  • "Session Security Level" to 4 (prevent session hijacking)
  • "Minimum password length" to 8 (make password guessing harder)
  • Auto blacklisting block IPs that use the wrong password to often (defaults to 20 per minute)
  • 2 factor authentication
  • Authentication keys for RSS, and Calendar subscriptions.
  • Injection detection
  • Analytics
  • Active Directory Authentication

Chrome Bugs:
  • Version 37.0.2062.120 (and 39.0.2159.0 canary) inconsistently crash with "Aw, Snap!".
    • Empty the cache, etc, and restart the browser.
    • Send us your ids from chrome://crashes/ (Google keeps some bug reports private, but any IDs we are sent will be added as related to our report or one of the 72937 other outstanding chromium bugs).
  • Version 40.0.2214.111 will not run functions if they have ever been called(onmouseover) from another window (iframe)
    • reported as a regression.
  • Version 44.0.2403.125 loses scope on deeply nested AJAX
  • Version 50 Disabling "Use a prediction service to load pages more quickly" is advised to avoid incorrect redirects.
  • Version 72+ web driver is not blocking and thus unusably buggy
  • Version 84+ resets live CSS changes only when developer tools is open
  • Version 85 writes it's own CSS instead of respecting dark mode
Solutions:
  • Use Firefox.
  • Upgrade
  • avoid nested AJAX

LAN security options for the server:

  • Whole disk encryption (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Automated Linux updates
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).
  • IDS, and resource alerts

List of most to least secure ways of connecting to the Noodle service:

  1. On a network not (even indirectly) connected to the internet.
    • online features will necessarily not work;
      • email
      • upgrade button
      • unsplash
      • auto ssh
      • etc
  2. On a network only indirectly connected to the internet.
  3. On a public network with a firewall or NAT port forwarding blocking all but one port.
  4. On a public network.

Public network security options:

  • HTTPS
  • DNS CAA records
  • HTTP headers (content-security-policy, strict-transport-security, etc)
  • White list
  • Auto blacklisting enabled.
  • "Session Security Level" to 4 (prevent session hijacking).
  • IWA or 2 factor authentication.
  • "Minimum password length" to 8 (make password guessing harder).
  • Encrypted VPN or ssh tunnel.
  • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

    • Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
    • A new unwanted feature can often be made optional by adding a setting to disable it.
    • To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
    • If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
    • If the second number in the version changes reverting the database structure will require a custom build.