Ticket #88 (closed enhancement: fixed)

Opened 12 years ago

Last modified 12 years ago

enhance CELO security (md5 passwords in db, SSL cert)

Reported by: joshuadf Owned by: joshuadf
Priority: major Milestone:
Component: systems Version:
Keywords: Cc:

Description

CELO is CGI-based, so we should enhance its security:

  • minimize places with plaintext passwords, and store only md5 hash in the database
  • force SSL connection when using CGI scripts

Change History

comment:1 Changed 12 years ago by joshuadf

  • Status changed from new to assigned

I have added a UW-signed SSL cert; any computer without UWICK installed will need to load the UW-CA cert from http://certs.cac.washington.edu/?req=svpem

Now when you go to CELO you are redirected to https://celo.biostr.washington.edu/celo/ (or the appropriate CGI page). The configuration is in /etc/httpd/conf.d/celo.vhost, the important lines for the redirect are:

  RedirectMatch ^/$ https://celo.biostr.washington.edu/celo/
  RewriteEngine on
  RewriteRule ^/(.*) https://celo.biostr.washington.edu/$1 [R]

comment:2 Changed 12 years ago by joshuadf

  • Status changed from assigned to closed
  • Resolution set to fixed

Encrypting the passwords involved changing the underlying WIRM code as well as CELO since the passwords are in the database. You can see the code here:

http://sig.biostr.washington.edu/viewcvs/viewcvs.cgi/src/wirm/wrm/cgi/user-login.pl.diff?r1=1.12&r2=1.10

The generate_password_hash sub implements three password storage best practices:

  • SHA1 hash instead of plaintext; better than MD5 and no longer patented
  • Pseudorandom salt: identical passwords generate different hashes to avoid Rainbow Table lookup
  • Embedded string: prevent backdoor database insert, attacker would require access to both DB and web code

See http://en.wikipedia.org/wiki/Salt_%28cryptography%29 for more info.

Note: See TracTickets for help on using tickets.