COMING SOON: CellarTracker moves to pure-SSL traffic

COMING SOON: CellarTracker moves to pure-SSL traffic (Full Version)

All Forums >> [Cellar Talk] >> Release Notes

Message

Eric -> COMING SOON: CellarTracker moves to pure-SSL traffic (10/10/2011 2:41:33 PM)
In the coming week to 10 days, I will be moving all logged in users on CellarTracker to use SSL (Secure Sockets Layer) aka HTTPS. My goal is to do this with hopefully no disruption and no need for people to login again. I will be making a number of other best-practice changes around password retention and transmission policies. In fact, the core change is already live. With the exception of some mixed content messages that unpaid users will see (Google AdSense doesn't support SSL), things should work quite smoothly already. If you wish to use CellarTracker over SSL already, I recommend logging out and then logging back in via https://www.cellartracker.com/password.asp

wnissen -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/10/2011 3:09:12 PM)
Dear Eric, Thanks! I was always concerned about the plaintext transmission of passwords. I use a different password for Cellartracker because of that, but most people use one or two passwords for everything. Glad to see the SSL, and I trust that the passwords will be salted and hashed for storage as well, to reduce the attractiveness of Cellartracker as a target. Walt

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/10/2011 3:27:10 PM)
Walt, that is exactly correct.

collin -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/10/2011 8:48:46 PM)
are you going to change the excel download?

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/10/2011 8:54:20 PM)
quote: ORIGINAL: collin are you going to change the excel download? TBD. I will likely move it to SSL download. I don't see any easy way to move away from the plain-text password there though.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/11/2011 2:24:12 PM)
As of a few minutes ago, all cookies newly generated by my web server are marked as HttpOnly to help mitigate against the ramifications of a XSS attack in a mainstream browser. There is lots of debate as to how worthwhile this really is, but given that it is best practice I thought it made sense to do it.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/14/2011 6:03:02 PM)
And how do you like those apples? A Class 4 (EV) certificate. Heck, even Google doesn't bother with those for their sites. [image]https://www.cellartracker.com/images/evcert.png[/image] The dev work is continuing albeit painstakingly, but I do think I should be on track to launch this at the end of next week.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/21/2011 11:32:05 PM)
Well I'm still not quite there. All coding has been done except for the last task: a new password reminder feature to generate a temporary password token that will allow a user to login and reset their password. The idea is that the site will not even store the password and as such cannot email the password to a user. The best it can do is to send a temporary password to the email on record to allow a user to gain access to their account and set a new password.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/25/2011 12:43:54 PM)
Just an update. OK, I am getting close. The password reset token stuff required some new pages and infrastructure, but I have it pretty well sorted out now. I may also take an extra day or two to add some optional "biometric" features, namely the ubiquitous question and answer ("What is your first pet's name, What is your mother's maiden name etc.) to add a hurdle to the password reset feature. This protects people if your email is hijacked. That said, since CellarTracker is not a banking website, is not transactional etc, it's not really the same sort of priority as just really securing the password you use on CT. So I may just push ahead and revisit biometrics later as a "nice to have" but far less essential security feature. In fact, I would argue that it is a much higher priority for me to implement OAUTH 2.0 or some other system to allow you to use 3rd party apps like Cor.kz and CellarVU without having to reveal your credentials. (That said, I have added some API features that will allow them to get what they need to access your CT account and not have to RETAIN your password. So that is a useful baby step.) Full on OAUTH etc. is a MUCH bigger undertaking. All that to say, this is getting very close. It's a rich space with plenty of layers of the onion to peel, but I have taken a really good and healthy bite out of the problem space. I have also been testing it like crazy, as it will break "the world" if I screw up.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/27/2011 10:13:59 AM)
OK, I will likely pull the switch on this TONIGHT around 10pm Pacific time. There will likely be a brief 15 minute outage while I do this. (I will also be finishing the upgrade to SP3 of SQL 2008.)

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/27/2011 11:14:14 PM)
OK, wow, at last, these changes are LIVE. I will be up for a few hours monitoring for glitches and kinks. I hope I didn't break the world...

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/27/2011 11:49:53 PM)
OK, people who use the Excel download should grab the latest version from https://www.cellartracker.com/webquery.xls as it has been tweaked to hit all HTTPS links.

brigcampbell -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 8:15:47 AM)
Fyi when I connected the first time from my blackberry I got a warning about the certificate. Click ok and its working. The bookmark was the http address.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 8:40:28 AM)
The site redirects you from HTTP to HTTPS if you are a logged in user, and then it rewrites your cookies. I would love to track down what made the BB unhappy on the first visit, or does it force you to confirm all SSL sites?

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 10:02:30 AM)
FYI, there are early reports of at least one person having difficulty with the new Excel download in Mac Excel 2008. Assuming that cannot be worked around, I have re-posted a version of the old, insecure spreadsheet at http://www.cellartracker.com/Webquery_Insecure.xls Please use it with caution, as it will send your password in cleartext over the wire.

brigcampbell -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 8:21:23 PM)
quote: ORIGINAL: Eric The site redirects you from HTTP to HTTPS if you are a logged in user, and then it rewrites your cookies. I would love to track down what made the BB unhappy on the first visit, or does it force you to confirm all SSL sites? Very easy to repoduce by clearing cookies. When I login it displays this message: "you are attempting to open a secure connection, but the servers certification is not trusted" then I have options to continue, close connection, view certificate, trust certificate. Don't know about other ssl sites...

brigcampbell -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 8:23:21 PM)
FYI my Android didn't care.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/28/2011 9:06:23 PM)
It is a level 4 validated cert that has been through more scrutiny than any cert that Google users on any of their sites. Crazy. I will see if there is something else I need to do to make Blackberry happy. Ironically I found this: http://www.google.com/support/mobile/bin/answer.py?hl=en&answer=113851 Actually I find THOUSANDS of references to this for all manner of sites and even core Blackberry functionality: http://www.google.com/search?hl=en&client=firefox-a&hs=ySg&rls=org.mozilla:en-US:official&q=+site:supportforums.blackberry.com+blackberry+you+are+attempting+to+open+a+secure+connection,+but+the+servers+certification+is+not+trusted These apparently are not very trusting devices...

dsGris -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/30/2011 12:51:01 PM)
Eric, Yesterday I downloaded the new Excel web query. Everything was working well. I have 3 sheets that I got formulas from Richard Sandler that allow me to have a visual Excel spreadsheet of the cellar. This morning, after reading about the password possible problem on the old query, I decided to change to a new wine specific password. Now the 3 wine cellar sheets are blank and do not refresh, the formulas still show in the cells, just no wine info. Any help would be appreciated. Dennis

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/30/2011 12:57:06 PM)
Dennis, in the Excel spreadsheet, did you go to the first tab and change the password to match your new one on the site? Also, please note that once you use this old Excel sheet, you are broadcasting your new password in plaintext across the web. That is why I have a new version of the sheet that uses all HTTPS links.

dsGris -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/30/2011 1:23:04 PM)
Eric, Yes I did download the new https version, entered handle and new pass word. The regular info refreshes, just the cellar sheets just come up blank. I did not want to delete out the old http version until the new one was tested. Everything was working fine until I changed the pass words. I tried a second download to test with similar results. Thanks, Dennis

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/30/2011 1:26:21 PM)
Does the OLD sheet work with the new password? If not then you are mistyping the password... Are you saying that the new sheet DOES work with the new password except for SOME of the sheet tabs? If so WHICH exact tab(s)?

dsGris -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (10/31/2011 2:15:10 PM)
Eric, I e-mailed rasandler to see if he can come to the rescue as I got the original formulas from him. It was acting weirdly to day when I was copying the formulas to send for him to check out. I still do not understand why changing the pass word would cause the problem. All the other pages refresh as they should. The pages I am referring to are the 3 that I added: rack view, rack counts & rack names. Thanks, Dennis

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/2/2011 10:46:11 PM)
So far two pairs of users have hit a looping login issue in both the regular site and the beta. In all cases clearing cookies fixed the problem. I have not been able to get a reproducible case or even many details on what exactly is going on, but clearly there are some cookie issues: https://www.cellartracker.com/forum/tm.asp?m=169429 I have made three sets of defensive changes to subtle things that could, in theory, maybe caused the issue, although I have not been able to get them to cause it. Code can be frustrating that way, and I am always a little superstitious about cookies since the browser seems a little finicky. Meanwhile I did add a new feature. If a user tries to login but has cookies disabled, rather than silent failure they will now get a positive confirmation that they must turn cookies on. If anyone hits this looping issue at login, please, please, please browser to these two pages and send me the full output of each: http://www.cellartracker.com/ua.asp https://www.cellartracker.com/ua.asp

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/3/2011 12:52:19 PM)
OK, one other change. Registered & logged in users who have not made a voluntary payment no longer see ads. Too many people are using older versions of IE which moronically prompts on mixed content pages, since Google does not offer an SSL-friendly version of AdSense. Sadly this is a REALLY expensive decision for me, but it is just THE RIGHT THING to do for the security and convenience of the community.

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/14/2011 8:48:57 PM)
Things have generally been quite smooth over the past 2 weeks. A few issues have hit a small number of folks: Some users, especially in IE9, were seeing odd looping behavior. I hope that is solved now after some changes. Please see: https://www.cellartracker.com/forum/tm.asp?m=170759 I have occasionally seen some odd behavior in Mobile Safari on my iPhone where cookie handling goes from allowing cookies to Never. This prevents users from logging in and logging out, and breaks things like impersonation. I think this issue may have more to do with iOS5 than my changes and is just purely coincidental timing. Users of Windows Phone 7 and 7.5 are seeing certificate errors due to the fact that WP7 has an incomplete set of root certificates. The only workaround for now is to download http://www.cellartracker.com/startcom.cer to your desktop and then email it to yourself on the phone. That will give you an option to install the certificate which fixes the issue. Hopefully in the future the Windows Phone team will have a better process (ala Windows and EVERY other major browser) to ensure that all root certs are included. Some users with older versions of Windows XP have hit certificate issues as well. The solution has been to install the root certificate update from this KB article: http://support.microsoft.com/kb/931125

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/21/2011 1:17:38 PM)
Things seem to be going pretty smoothly now. In preparation for an email out to all CellarTracker users, I have put together a FAQ on the changes: https://www.cellartracker.com/ow.asp?PasswordSecurity

wnissen -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/22/2011 10:35:13 AM)
Dear Eric, I am so happy with these changes, I re-upped six months early. Thank you for taking the quality of your security as seriously as the quality of the database. I guess all that Twitter OAuth work wasn't completely wasted? :) Walt

Eric -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/22/2011 10:54:46 AM)
Thanks so much Walt! I sleep better with all of these changes in place. (And in my FAQ read about Firesheep for fun. I also recommend that any Facebook users go to your Facebook Security Options and turn on the non-default option to force secure browsing in Facebook.)

gbm -> RE: COMING SOON: CellarTracker moves to pure-SSL traffic (11/22/2011 7:26:06 PM)
Thanks Eric. I noticed the address bar turned green when I went to the forum, so I jumped over here to see what the fuss was about. Seems like you've made A LOT of changes under the radar and I, for one, am grateful. It still can't help me find my cell phone though. [;)]

Page: [1] 2 next > >>

Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.1560059