Password Security
From its inception, CellarTracker used a very low-tech authentication mechanism, and users were encouraged to use a password that they wouldn't be afraid for an administrator to see.
However, effective October 27, 2011 the site now embraces industry best practice with regard to password handling, cookies, secure web protocols, password reset mechanisms etc. If you are not especially technical, you can probably stop reading right now. However, if you are in fact much more curious or have specific technical concerns or issues, the goal of this FAQ is to very transparently disclose our practices in this regard.
Please also read about Privacy Options for controlling who can see your cellar data as well as our Privacy Policy.
Technical Details
Below I will describe in more detail about web protocols (HTTP/HTTPS), SSL/TLS certificates, Cookies, password hashing and general password retention and transmission practices.
HTTPS Details
Traditionally websites have used a secure (HTTP Secure or HTTPS) page just for initial log-in and then resume the rest of the browsing session over an insecure HTTP connection. However, with the advent of shared, public, wireless access points, this is increasingly problematic as demonstrated by the public release of Firesheep. In short, this partially secure approach makes it easy for anyone to steal your credentials and masquerade as you. As such, CellarTracker has chosen to use HTTPS for ALL browsing for logged in users. While this does induce some extra latency and server expenditures, it is the only proper way to truly protect your information.
Formerly CellarTracker used to show advertisements to guests and registered users who had not made a Voluntary Payment. Unfortunately, at this time Google does not offer a version of AdSense that will serve ads over HTTPS without compromising security and generating incredibly annoying "mixed content" prompts in IE8 and older. In the name of security and user convenience, we have decided to forgo millions of ad impressions per year and have dropped these advertisements for all registered users. While this is a very expensive business decision for CellarTracker, it is simply the RIGHT THING to do for the community.
Not all SSL/TLS certificates are created equal. CellarTracker has obtained a Class 4 or Extended Validation (EV) certificate. You can see this with the green in the browser bar:
Cookie Details
As in keeping with industry best practice, authentication cookies (username and hashed password) generated by CellarTracker are marked as Secure, so they are only transported over HTTPS. The site also marks all cookies as HttpOnly to help mitigate against Cross Site Scripting attacks in mainstream browsers.
Password Security
CellarTracker no longer retains the actual text of any password. Rather your password is securely salted and hashed and only stored in this form. Because of this, passwords are now case sensitive. All formerly retained passwords have been deleted, and site administrators no longer have access to your actual password. If you do forget your password, the site allows you to send a temporary password reset request to your email address of record. Since CellarTracker is not a banking or transactional site, we do not use biometric questions (e.g. what is your dog's name or your mother's maiden name) to further guard password resets. If your email is hijacked, you likely have far bigger concerns than unauthorized access to your CellarTracker account. However, CellarTracker cannot be used as a vector to determine your password so that a hacker can then access your bank accounts on another website.
If for some reason you no longer have access to an old email address that you used on CellarTracker, please send email to eric@cellartracker.com with your old email address, your full name, the handle in use on your account, and any other information required to verify your identity. Assuming everything checks out, we will update your email address and send you a password reset request.
Migration
Since these changes were implemented on the website, your cookies are automatically migrated the first time you visit the site from a given machine/browser. In some rare cases people have had issues with this transition, so the simplest workaround is to always just delete all cookies for cellartracker.com in that browser and then log back into the site.
Issues & FAQ's
Known Issues
- WINDOWS XP: Some older Windows XP machines may claim that the certificate is untrusted, but this is actually an indication that your XP machine is VERY out of date. The solution is to install the root certificate update from this Microsoft Knowledgebase article: http://support.microsoft.com/kb/931125
- iPHONE/iPAD: I have not seen reports of this, but since upgrading to iOS5, I have twice seen some odd behavior in Mobile Safari on my iPhone where Safari changes its setting from allowing cookies to Never. This prevents users from logging in and logging out, and breaks things like impersonation. I think this issue may have more to do with iOS5 than the recent CellarTracker changes and is just purely coincidental timing.
- Blackberry: Some Blackberry models seem to have incomplete root certificates and prompt about Insecure SSL. You need to add the certificate on your Blackberry.
- IE9: Shortly after we launched this upgrade to CellarTracker, some users and especially those in IE9, were seeing odd looping behavior when they tried to visit CellarTracker. All indications pointed to an obscure bug in the handling of secure cookies, but we were never able to reproduce the looping behavior. However, after some proactive code changes, there have been no further reports for the past year. Please see this forum thread.
Frequently Asked Questions
- DOWNLOAD TO EXCEL: Since its inception, CellarTracker has had a special Excel Download that utilizes "Excel Web Queries" to let you download your cellar.
This requires adding your CellarTracker handle and password to the first tab in the spreadsheet, and then these are sent to CellarTracker with each web request. In this case there is no hashing of passwords,
but to protect you password we now have an upgraded version of the web query that uses all HTTPS requests to protect your information. You can download that from
https://www.cellartracker.com/webquery.xls
Unfortunately it has come to our attention that some older versions of Excel for the Macintosh seem to have trouble with this spreadsheet, so we still do have the older, insecure version hosted at http://www.cellartracker.com/Webquery_Insecure.xls
Please use this version with caution, since it sends your password in plain text over HTTP. - API SECURITY: Right now the CellarTracker API is predominantly used by the 3rd party Cor.kz and CellarVU applications. CellarTracker does not currently implement OAuth 2.0 or some other mechanism to grant access to your CellarTracker account to these applications. We are certainly considering that for the future, but for now we have made some minor upgrades to our API so that these applications will not need to retain your password. There is now a Credentials API that can be passed a handle and password and in return receive a valid password hash. Both CellarVU and Cor.kz plan to use this in their next major releases. Also, the current/latest version of Cor.kz has already switched over to HTTPS for all calls to CellarTracker. If you have concerns about this, we either recommend not using these applications or using a special password just for CellarTracker, Cor.kz and CellarVU that is DIFFERENT from passwords that you using for banking and other transactional accounts.
A Note on Credit Card Security
This is actually a non-sequitur, but with the recent announcement of stolen credit cards at Wine Library, we thought we should comment on credit card security at CellarTracker. We have actually made a very conscious decision from day 1 to NEVER store or even handle cardholder data. All voluntary payments to CellarTracker come via a webpage hosted at payflowlink.paypal.com as part of the PayFlow Link payment service. This is a 3rd party payment service originally developed by Verisign and later acquired by PayPal as part of their Merchant Division. All cardholder data that you enter is handled only by PayPal. We never have access to complete credit card details, and we don't want it. PCI compliance is a real pain in the neck, and touching credit cards is akin to playing with munitions.
Conclusion
In short, we hope you are pleased with the changes here. Please do email eric@cellartracker.com if you have questions, concerns or technical issues.
© 2003-13 CellarTracker! LLC. All rights reserved. "CellarTracker!" is a trademark of CellarTracker! LLC. No part of this website may be used, reproduced or distributed without the prior written permission of CellarTracker! LLC. (DB2)
