tmssoftware.com

Security

BIZ TMS Sparkle
#1

< ="text/">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica}

Hi Wagner,

I have a question about security, not really a support issue but wondered what yours or others recommendations might be?

Since most of our customers will be using Xdata/Sparkle from within their own network http is much easier than https as getting a certificate for a local IP address isn't practical.  Still I'd like to obfuscate the logon credentials and we will be using JWT to control access rights.  So my question is in regard to how best to implement that. 

I think I am just going to encrypt the user name and password and store the key in both the server and the client and have a common algorithm to salt the password so that it's different every time. I know there are many vulnerabilities with this approach and that someone could just grab the JWT token and by-pass security altogether.

Or perhaps I should just create a testing certificate for each site and use https?  What do you think?   

#2

Hi Steve,


Security is always a compromise. It's important that you measure the chances of your app being attacked, the technical level of the attackers, and the impact of such attack.
Then you implement the proper measures to avoid that. Encrypting the user name and password in each side is one measure, indeed. It helps since the user/password might never change.
But, indeed, a sniffer could get the token and have access to the server anyway - even though the token would be time-limited. Again, you have to measure the odds.

If you think sniffing is a security concern in your internal network, then I guess encrypting everything is the only solution, and the easiest way to do it imho is using SSL, not reinventing the wheel.

Using SSL in internal networks is more difficult than with public computers, but it's not impossible, and once you have the solution, you have it and you can replicate it to all your customers. 
There are several ways of doing that, using DNS validation, building your own CA, accepting self-signed certificates, etc..
Here are some good references:

https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://www.reddit.com/r/selfhosted/comments/59unu2/httpscertificate_for_internal_network/


#3

brilliant, thanks very much.

© tmssoftware.com