Application Security

TimL • 2014/09/23

Public network application security options:

SSL (prevent passwords collection from public wifi)
White list (prevent application inspection from known hostile networks)
"Session Security Level" to 4 (prevent session hijacking)
"Minimum password length" to 8 (make password guessing harder)
Auto blacklisting block IPs that use the wrong password to often (defaults to 20 per minute)
2 factor authentication
Authentication keys for RSS, and Calendar subscriptions.
Injection detection
Analytics
SSO (IWA, SPNEGO, Active Directory Authentication, SAML, JWT)

Security

TimL • 2014/09/23

Security at Vialect is addressed in the following categories:

Chrome bugs

TimL • 2014/09/15

Chrome Bugs:

Version 37.0.2062.120 (and 39.0.2159.0 canary) inconsistently crash with "Aw, Snap!".
- Empty the cache, etc, and restart the browser.
- Send us your ids from chrome://crashes/ (Google keeps some bug reports private, but any IDs we are sent will be added as related to our report or one of the 72937 other outstanding chromium bugs).
Version 40.0.2214.111 will not run functions if they have ever been called(onmouseover) from another window (iframe)
- reported as a regression.
Version 44.0.2403.125 loses scope on deeply nested AJAX
Version 50 Disabling "Use a prediction service to load pages more quickly" is advised to avoid incorrect redirects.
Version 72+ web driver is not blocking and thus unusably buggy
Version 84+ resets live CSS changes only when developer tools is open
Version 85 writes it's own CSS instead of respecting dark mode

Solutions:

Use Firefox.
Upgrade
avoid nested AJAX

local security

TimL • 2014/07/11

LAN security options for the server:

Whole disk encryption (prevents bypassing security by reading the disk with another computer).
Dedicated server (reduces exploitable surface area).
Automated Linux updates
Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
ssh keys (prevents password guessing on ssh).
IDS, and resource alerts

Network security

TimL • 2014/07/11

List of most to least secure ways of connecting to the Noodle service:

On a network not (even indirectly) connected to the internet.
- online features will necessarily not work;
  - email
  - upgrade button
  - unsplash
  - auto ssh
  - etc
On a network only indirectly connected to the internet.
On a public network with a firewall or NAT port forwarding blocking all but one port.
On a public network.

Public network security options:

HTTPS
DNS CAA records
HTTP headers (content-security-policy, strict-transport-security, etc)
White list
Auto blacklisting enabled.
"Session Security Level" to 4 (prevent session hijacking).
IWA or 2 factor authentication.
"Minimum password length" to 8 (make password guessing harder).
Encrypted VPN or ssh tunnel.
Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

Downgrading

TimL • 2014/07/07

- Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
- A new unwanted feature can often be made optional by adding a setting to disable it.
- To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
- If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
- If the second number in the version changes reverting the database structure will require a custom build.

Components 8

TimL • 2014/03/06

ActiveX components are not supported on anything after Windows 8.1 and Internet Explorer 11 or Edge.
Please use the built in editor for in place editing, and upgrade to Firefox or Chrome to use drag and drop.

pfx to pem

TimL • 2013/09/03

Windows example of converting a Tomcat SSL certificate to Apache :

keytool -storepass 123 -keystore noodle.pfx -export -alias domain.tld -rfc -file cert.pem

keytool -storepass 123 -keystore noodle.pfx -export -alias root -rfc -file fullchain.pem
openssl pkcs12 -in noodle.pfx -nocerts -nodes > privkey.pem

Official keytool manual

Official openssl manual

IE

TimL • 2013/04/25

Steps to make IE behave more like Chrome or Firefox:

Upgrade to version 11 (or 8 if on XP)

Reset IE:

Tools>internet options>advanced>reset>check delete personal settings>reset
close IE (all windows)

Make IE usable on windows server:

Tools>internet options>advanced>uncheck automatically recover from page errors with compatibility view
Tools>internet options>security>select trusted sites>set to low>sites>remove all the current sites and add the Noodle url.
Tools>internet options>security>select trusted sites>set to low>custom level>scroll all the way down and disable "XSS filter"
tools>compatibility view settings> remove and uncheck all.

Google mail and calendar

TimL • 2013/03/01

For mailto:

Make sure you are on your Google Mail page.
Copy/paste this into the address bar:
- javascript:navigator.registerProtocolHandler("mailto","https://mail.google.com/mail/?extsrc=mailto&url=%s","Gmail")
Add the javascript: to the front again if it got automatically trimmed. Then hit enter.

For webcal:

Make sure you are on your Google Calendar page.
Copy/paste this into the address bar:
- javascript:navigator.registerProtocolHandler("webcal","https://www.google.com/calendar/render?cid=%s","Google Calendar")
Add the javascript: to the front again if it got automatically trimmed. Then hit enter.

Noodle Help Site

Helping you use your Noodle