Public network application security options:

  • SSL (prevent passwords collection from public wifi)
  • White list (prevent application inspection from known hostile networks)
  • "Session Security Level" to 4 (prevent session hijacking)
  • "Minimum password length" to 8 (make password guessing harder)
  • Auto blacklisting block IPs that use the wrong password to often (defaults to 20 per minute)
  • 2 factor authentication
  • Authentication keys for RSS, and Calendar subscriptions.
  • Injection detection
  • Analytics
  • SSO (IWA, SPNEGO, Active Directory Authentication, SAML, JWT)

Chrome Bugs:
  • Version 37.0.2062.120 (and 39.0.2159.0 canary) inconsistently crash with "Aw, Snap!".
    • Empty the cache, etc, and restart the browser.
    • Send us your ids from chrome://crashes/ (Google keeps some bug reports private, but any IDs we are sent will be added as related to our report or one of the 72937 other outstanding chromium bugs).
  • Version 40.0.2214.111 will not run functions if they have ever been called(onmouseover) from another window (iframe)
    • reported as a regression.
  • Version 44.0.2403.125 loses scope on deeply nested AJAX
  • Version 50 Disabling "Use a prediction service to load pages more quickly" is advised to avoid incorrect redirects.
  • Version 72+ web driver is not blocking and thus unusably buggy
  • Version 84+ resets live CSS changes only when developer tools is open
  • Version 85 writes it's own CSS instead of respecting dark mode
Solutions:
  • Use Firefox.
  • Upgrade
  • avoid nested AJAX

LAN security options for the server:

  • Whole disk encryption (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Automated Linux updates
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).
  • IDS, and resource alerts

List of most to least secure ways of connecting to the Noodle service:

  1. On a network not (even indirectly) connected to the internet.
    • online features will necessarily not work;
      • email
      • upgrade button
      • unsplash
      • auto ssh
      • etc
  2. On a network only indirectly connected to the internet.
  3. On a public network with a firewall or NAT port forwarding blocking all but one port.
  4. On a public network.

Public network security options:

  • HTTPS
  • DNS CAA records
  • HTTP headers (content-security-policy, strict-transport-security, etc)
  • White list
  • Auto blacklisting enabled.
  • "Session Security Level" to 4 (prevent session hijacking).
  • IWA or 2 factor authentication.
  • "Minimum password length" to 8 (make password guessing harder).
  • Encrypted VPN or ssh tunnel.
  • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

    • Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
    • A new unwanted feature can often be made optional by adding a setting to disable it.
    • To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
    • If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
    • If the second number in the version changes reverting the database structure will require a custom build.

Steps to make IE behave more like Chrome or Firefox:

Upgrade to version 11 (or 8 if on XP)
Reset IE:
  1. Tools>internet options>advanced>reset>check delete personal settings>reset
  2. close IE (all windows)
Make IE usable on windows server:
  1. Tools>internet options>advanced>uncheck automatically recover from page errors with compatibility view
  2. Tools>internet options>security>select trusted sites>set to low>sites>remove all the current sites and add the Noodle url.
  3. Tools>internet options>security>select trusted sites>set to low>custom level>scroll all the way down and disable "XSS filter"
  4. tools>compatibility view settings> remove and uncheck all.

For mailto:

  1. Make sure you are on your Google Mail page.
  2. Copy/paste this into the address bar:
    • javascript:navigator.registerProtocolHandler("mailto","https://mail.google.com/mail/?extsrc=mailto&url=%s","Gmail")
  3. Add the javascript: to the front again if it got automatically trimmed. Then hit enter.

For webcal:

  1. Make sure you are on your Google Calendar page.
  2. Copy/paste this into the address bar:
    • javascript:navigator.registerProtocolHandler("webcal","https://www.google.com/calendar/render?cid=%s","Google Calendar")
  3. Add the javascript: to the front again if it got automatically trimmed. Then hit enter.