Opened 14 years ago

Closed 14 years ago

#88 closed enhancement (fixed)

enhance CELO security (md5 passwords in db, SSL cert)

Reported by: joshuadf Owned by: joshuadf
Priority: major Milestone:
Component: systems Version:
Keywords: Cc:


CELO is CGI-based, so we should enhance its security:

  • minimize places with plaintext passwords, and store only md5 hash in the database
  • force SSL connection when using CGI scripts

Change History (2)

comment:1 Changed 14 years ago by joshuadf

Status: newassigned

I have added a UW-signed SSL cert; any computer without UWICK installed will need to load the UW-CA cert from

Now when you go to CELO you are redirected to (or the appropriate CGI page). The configuration is in /etc/httpd/conf.d/celo.vhost, the important lines for the redirect are:

  RedirectMatch ^/$
  RewriteEngine on
  RewriteRule ^/(.*)$1 [R]

comment:2 Changed 14 years ago by joshuadf

Resolution: fixed
Status: assignedclosed

Encrypting the passwords involved changing the underlying WIRM code as well as CELO since the passwords are in the database. You can see the code here:

The generate_password_hash sub implements three password storage best practices:

  • SHA1 hash instead of plaintext; better than MD5 and no longer patented
  • Pseudorandom salt: identical passwords generate different hashes to avoid Rainbow Table lookup
  • Embedded string: prevent backdoor database insert, attacker would require access to both DB and web code

See for more info.

Note: See TracTickets for help on using tickets.