CellarTracker Main Site
Register for Forum | Login | My Profile | Member List | Search

COMING SOON: CellarTracker moves to pure-SSL traffic

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Cellar Talk] >> Release Notes >> COMING SOON: CellarTracker moves to pure-SSL traffic Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
COMING SOON: CellarTracker moves to pure-SSL traffic - 10/10/2011 2:41:33 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		In the coming week to 10 days, I will be moving all logged in users on CellarTracker to use SSL (Secure Sockets Layer) aka HTTPS. My goal is to do this with hopefully no disruption and no need for people to login again. I will be making a number of other best-practice changes around password retention and transmission policies. In fact, the core change is already live. With the exception of some mixed content messages that unpaid users will see (Google AdSense doesn't support SSL), things should work quite smoothly already. If you wish to use CellarTracker over SSL already, I recommend logging out and then logging back in via https://www.cellartracker.com/password.asp

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker
Post #: 1
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/10/2011 3:09:12 PM   
wnissen

 

Posts: 95
Joined: 3/1/2004
Status: offline 		Dear Eric,

Thanks! I was always concerned about the plaintext transmission of passwords. I use a different password for Cellartracker because of that, but most people use one or two passwords for everything. Glad to see the SSL, and I trust that the passwords will be salted and hashed for storage as well, to reduce the attractiveness of Cellartracker as a target.

Walt

(in reply to Eric)
Post #: 2
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/10/2011 3:27:10 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Walt, that is exactly correct.

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to wnissen)
Post #: 3
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/10/2011 8:48:46 PM   
collin

 

Posts: 25
Joined: 9/11/2005
Status: offline 		are you going to change the excel download?

(in reply to Eric)
Post #: 4
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/10/2011 8:54:20 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline
quote:

ORIGINAL: collin

are you going to change the excel download?

TBD. I will likely move it to SSL download. I don't see any easy way to move away from the plain-text password there though.


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to collin)
Post #: 5
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/11/2011 2:24:12 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		As of a few minutes ago, all cookies newly generated by my web server are marked as HttpOnly to help mitigate against the ramifications of a XSS attack in a mainstream browser. There is lots of debate as to how worthwhile this really is, but given that it is best practice I thought it made sense to do it.

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 6
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/14/2011 6:03:02 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		And how do you like those apples? A Class 4 (EV) certificate. Heck, even Google doesn't bother with those for their sites.



The dev work is continuing albeit painstakingly, but I do think I should be on track to launch this at the end of next week.

< Message edited by Eric -- 10/27/2011 11:14:53 PM >

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 7
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/21/2011 11:32:05 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Well I'm still not quite there. All coding has been done except for the last task: a new password reminder feature to generate a temporary password token that will allow a user to login and reset their password. The idea is that the site will not even store the password and as such cannot email the password to a user. The best it can do is to send a temporary password to the email on record to allow a user to gain access to their account and set a new password.


< Message edited by Eric -- 10/21/2011 11:33:17 PM >

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 8
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/25/2011 12:43:54 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Just an update. OK, I am getting close.

The password reset token stuff required some new pages and infrastructure, but I have it pretty well sorted out now. I may also take an extra day or two to add some optional "biometric" features, namely the ubiquitous question and answer ("What is your first pet's name, What is your mother's maiden name etc.) to add a hurdle to the password reset feature. This protects people if your email is hijacked. That said, since CellarTracker is not a banking website, is not transactional etc, it's not really the same sort of priority as just really securing the password you use on CT. So I may just push ahead and revisit biometrics later as a "nice to have" but far less essential security feature. In fact, I would argue that it is a much higher priority for me to implement OAUTH 2.0 or some other system to allow you to use 3rd party apps like Cor.kz and CellarVU without having to reveal your credentials. (That said, I have added some API features that will allow them to get what they need to access your CT account and not have to RETAIN your password. So that is a useful baby step.) Full on OAUTH etc. is a MUCH bigger undertaking.

All that to say, this is getting very close. It's a rich space with plenty of layers of the onion to peel, but I have taken a really good and healthy bite out of the problem space. I have also been testing it like crazy, as it will break "the world" if I screw up.


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 9
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/27/2011 10:13:59 AM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		OK, I will likely pull the switch on this TONIGHT around 10pm Pacific time. There will likely be a brief 15 minute outage while I do this. (I will also be finishing the upgrade to SP3 of SQL 2008.)

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 10
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/27/2011 11:14:14 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		OK, wow, at last, these changes are LIVE. I will be up for a few hours monitoring for glitches and kinks. I hope I didn't break the world...

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 11
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/27/2011 11:49:53 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		OK, people who use the Excel download should grab the latest version from https://www.cellartracker.com/webquery.xls as it has been tweaked to hit all HTTPS links.

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 12
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 8:15:47 AM   
brigcampbell

 

Posts: 2483
Joined: 2/16/2009
From: Mission Viejo, CA
Status: offline 		Fyi when I connected the first time from my blackberry I got a warning about the certificate. Click ok and its working.

The bookmark was the http address.

_____________________________

Sincerely,

-brig campbell

(in reply to Eric)
Post #: 13
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 8:40:28 AM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		The site redirects you from HTTP to HTTPS if you are a logged in user, and then it rewrites your cookies.

I would love to track down what made the BB unhappy on the first visit, or does it force you to confirm all SSL sites?


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to brigcampbell)
Post #: 14
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 10:02:30 AM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		FYI, there are early reports of at least one person having difficulty with the new Excel download in Mac Excel 2008. Assuming that cannot be worked around, I have re-posted a version of the old, insecure spreadsheet at http://www.cellartracker.com/Webquery_Insecure.xls

Please use it with caution, as it will send your password in cleartext over the wire.


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 15
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 8:21:23 PM   
brigcampbell

 

Posts: 2483
Joined: 2/16/2009
From: Mission Viejo, CA
Status: offline
quote:

ORIGINAL: Eric

The site redirects you from HTTP to HTTPS if you are a logged in user, and then it rewrites your cookies.

I would love to track down what made the BB unhappy on the first visit, or does it force you to confirm all SSL sites?



Very easy to repoduce by clearing cookies.

When I login it displays this message:

"you are attempting to open a secure connection, but the servers certification is not trusted" then I have options to continue, close connection, view certificate, trust certificate.

Don't know about other ssl sites...

< Message edited by brigcampbell -- 10/28/2011 8:27:15 PM >

_____________________________

Sincerely,

-brig campbell

(in reply to Eric)
Post #: 16
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 8:23:21 PM   
brigcampbell

 

Posts: 2483
Joined: 2/16/2009
From: Mission Viejo, CA
Status: offline 		FYI my Android didn't care.

_____________________________

Sincerely,

-brig campbell

(in reply to brigcampbell)
Post #: 17
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/28/2011 9:06:23 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		It is a level 4 validated cert that has been through more scrutiny than any cert that Google users on any of their sites. Crazy. I will see if there is something else I need to do to make Blackberry happy.
Ironically I found this: http://www.google.com/support/mobile/bin/answer.py?hl=en&answer=113851

Actually I find THOUSANDS of references to this for all manner of sites and even core Blackberry functionality: http://www.google.com/search?hl=en&client=firefox-a&hs=ySg&rls=org.mozilla:en-US:official&q=+site:supportforums.blackberry.com+blackberry+you+are+attempting+to+open+a+secure+connection,+but+the+servers+certification+is+not+trusted

These apparently are not very trusting devices...


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to brigcampbell)
Post #: 18
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/30/2011 12:51:01 PM   
dsGris

 

Posts: 4712
Joined: 8/31/2009
From: Portland, OR
Status: offline 		Eric,
Yesterday I downloaded the new Excel web query. Everything was working well. I have 3 sheets that I got formulas from Richard Sandler that allow me to have a visual Excel spreadsheet of the cellar.
This morning, after reading about the password possible problem on the old query, I decided to change to a new wine specific password. Now the 3 wine cellar sheets are blank and do not refresh, the formulas still show in the cells, just no wine info.
Any help would be appreciated.
Dennis


_____________________________

DennisG
Granpa Wino

(in reply to Eric)
Post #: 19
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/30/2011 12:57:06 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Dennis, in the Excel spreadsheet, did you go to the first tab and change the password to match your new one on the site?

Also, please note that once you use this old Excel sheet, you are broadcasting your new password in plaintext across the web. That is why I have a new version of the sheet that uses all HTTPS links.


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to dsGris)
Post #: 20
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/30/2011 1:23:04 PM   
dsGris

 

Posts: 4712
Joined: 8/31/2009
From: Portland, OR
Status: offline 		Eric,
Yes I did download the new https version, entered handle and new pass word. The regular info refreshes, just the cellar sheets just come up blank. I did not want to delete out the old http version until the new one was tested. Everything was working fine until I changed the pass words. I tried a second download to test with similar results.
Thanks, Dennis


_____________________________

DennisG
Granpa Wino

(in reply to Eric)
Post #: 21
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/30/2011 1:26:21 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Does the OLD sheet work with the new password? If not then you are mistyping the password...
Are you saying that the new sheet DOES work with the new password except for SOME of the sheet tabs? If so WHICH exact tab(s)?


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to dsGris)
Post #: 22
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 10/31/2011 2:15:10 PM   
dsGris

 

Posts: 4712
Joined: 8/31/2009
From: Portland, OR
Status: offline 		Eric,
I e-mailed rasandler to see if he can come to the rescue as I got the original formulas from him. It was acting weirdly to day when I was copying the formulas to send for him to check out. I still do not understand why changing the pass word would cause the problem. All the other pages refresh as they should. The pages I am referring to are the 3 that I added: rack view, rack counts & rack names.
Thanks, Dennis


_____________________________

DennisG
Granpa Wino

(in reply to Eric)
Post #: 23
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/2/2011 10:46:11 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		So far two pairs of users have hit a looping login issue in both the regular site and the beta. In all cases clearing cookies fixed the problem. I have not been able to get a reproducible case or even many details on what exactly is going on, but clearly there are some cookie issues: https://www.cellartracker.com/forum/tm.asp?m=169429

I have made three sets of defensive changes to subtle things that could, in theory, maybe caused the issue, although I have not been able to get them to cause it. Code can be frustrating that way, and I am always a little superstitious about cookies since the browser seems a little finicky.

Meanwhile I did add a new feature. If a user tries to login but has cookies disabled, rather than silent failure they will now get a positive confirmation that they must turn cookies on.

If anyone hits this looping issue at login, please, please, please browser to these two pages and send me the full output of each:

http://www.cellartracker.com/ua.asp
https://www.cellartracker.com/ua.asp


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to dsGris)
Post #: 24
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/3/2011 12:52:19 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		OK, one other change. Registered & logged in users who have not made a voluntary payment no longer see ads. Too many people are using older versions of IE which moronically prompts on mixed content pages, since Google does not offer an SSL-friendly version of AdSense. Sadly this is a REALLY expensive decision for me, but it is just THE RIGHT THING to do for the security and convenience of the community.


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 25
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/14/2011 8:48:57 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Things have generally been quite smooth over the past 2 weeks. A few issues have hit a small number of folks:
  • Some users, especially in IE9, were seeing odd looping behavior. I hope that is solved now after some changes. Please see: https://www.cellartracker.com/forum/tm.asp?m=170759
  • I have occasionally seen some odd behavior in Mobile Safari on my iPhone where cookie handling goes from allowing cookies to Never. This prevents users from logging in and logging out, and breaks things like impersonation. I think this issue may have more to do with iOS5 than my changes and is just purely coincidental timing.
  • Users of Windows Phone 7 and 7.5 are seeing certificate errors due to the fact that WP7 has an incomplete set of root certificates. The only workaround for now is to download http://www.cellartracker.com/startcom.cer to your desktop and then email it to yourself on the phone. That will give you an option to install the certificate which fixes the issue. Hopefully in the future the Windows Phone team will have a better process (ala Windows and EVERY other major browser) to ensure that all root certs are included.
  • Some users with older versions of Windows XP have hit certificate issues as well. The solution has been to install the root certificate update from this KB article: http://support.microsoft.com/kb/931125



_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 26
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/21/2011 1:17:38 PM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Things seem to be going pretty smoothly now. In preparation for an email out to all CellarTracker users, I have put together a FAQ on the changes: https://www.cellartracker.com/ow.asp?PasswordSecurity

_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to Eric)
Post #: 27
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/22/2011 10:35:13 AM   
wnissen

 

Posts: 95
Joined: 3/1/2004
Status: offline 		Dear Eric,

I am so happy with these changes, I re-upped six months early. Thank you for taking the quality of your security as seriously as the quality of the database. I guess all that Twitter OAuth work wasn't completely wasted? :)

Walt

(in reply to Eric)
Post #: 28
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/22/2011 10:54:46 AM   
Eric

 

Posts: 17314
Joined: 10/10/2003
From: Seattle, WA
Status: offline 		Thanks so much Walt!

I sleep better with all of these changes in place. (And in my FAQ read about Firesheep for fun. I also recommend that any Facebook users go to your Facebook Security Options and turn on the non-default option to force secure browsing in Facebook.)


_____________________________

Cheers!
-Eric LeVine

http://twitter.com/cellartracker
http://facebook.com/cellartracker

(in reply to wnissen)
Post #: 29
RE: COMING SOON: CellarTracker moves to pure-SSL traffic - 11/22/2011 7:26:06 PM   
gbm

 

Posts: 2220
Joined: 3/12/2008
From: Connecticut
Status: offline 		Thanks Eric.

I noticed the address bar turned green when I went to the forum, so I jumped over here to see what the fuss was about. Seems like you've made A LOT of changes under the radar and I, for one, am grateful. It still can't help me find my cell phone though.

_____________________________

Greg

(in reply to Eric)
Post #: 30
Page:   [1] 2   next >   >>
All Forums >> [Cellar Talk] >> Release Notes >> COMING SOON: CellarTracker moves to pure-SSL traffic Page: [1] 2   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.158