Welcome back, oh dearest and most patient friends,
it took a while, but the site should now be a little bit more secure. I was focussing on the most pressing issues, trying to find a balance between reworking most of the things and making the site and its data available again.
So please, if you find security issues, do not hesitate to tell us in private. I promise, security reports will be taken seriously and we will fix them ASAP.
For now, the following things have changed:
- In most places, instead of removing a bunch of seemingly evil characters, HTML encoding is now in place. With this, we now allow for basically all characters in game/categories/variables names. Usernames are still restricted, though. This might change in the future.
- The username/password cookies are gone. If you still have those, they will be automatically removed (so to be 100% accurate: if you are reading this, your cookies are already gone). Instead, we now issue simple session cookies that will deleted when you close your browser. Yes, this means you now have to log-in more frequently. The session cookies are httponly, so it's not acessible from JavaScript (and hence safe against XSS attacks).
- Instead of MD5, passwords are now hashed using bcrypt (with a cost factor of 10). All existing hashes will be automatically upgraded to bcrypt on the first login of each user. Using bcrypt instead of MD5 dramatically improves password security in case an attacker gains access to the database.
With all that being said, there are still open issues:
- CSRF attacks are still possible. It will take time to convert all state-changing requests to POST and introduce a CSRF token. We're working on it.
- Everything is still using HTTP. I'm not aware of concrete plans to change this. Using CloudFlare's "halfass" SSL would be an option, even though I personally would much rather see a simple cert on sr.com itself.
- It's very possible that I introduced a few bugs into the site. I'm sorry, but that's the way things are. Please report them, so we can fix them.
Thanks for your patience during the outtage.
This is definitely good to hear. It'd probably be a good idea to list the e-mail address (or some other means) to report security issues right in this thread.
Just send them to me (pac413 ɑt gmail.com) for the moment, until we get a dedicated address set up.
having to log in every time I visit the site is pretty annoying, but obviously it's better than being unsafe. Is there no way to stay logged in without exposing myself to leet hackers?
I'm guessing this is because of the changes to special characters, but the brackets have been removed from the game name on http://www.speedrun.com/yhtwtgsteam and I can't re-add them.
Thanks for noticing Klashik, this bug has indeed been introduced lately and is fixed now. I fixed the game title for you already.
mobiusman, we can adjust session durations later. At the moment the default server config (which is out of my reach) handles expiring sessions, which leads to frequent logouts at the moment.
Using a different session backend will allow us to finetune the session timeout, but it's not on the "pressing issues" list. Thanks for your feedback though!
Well, if I have to log in every single time I visit the site we'll see how often I get around to approving runs now.
You need to remember to decode those HTML entities just before displaying them on the site . . . type "kirby"(no quotes) into the search box at the top of the site, for example, and see the glorious 039s.
Faschz I forwarded your post to the team. As discussed in this thread, bring up future issues privately and they will be handled.
The site was down for a bit this morning due to server loading issues. We worked with the server admin to fix some of these issues. The site should hopefully be running a little faster, but there's still improvement to be made.
The search bar bug was fixed.
IL tables might be fixed. Some changes were made, but I'm unsure if they fixed the whole issue, so let us know.
An html issue was fixed. Some moderator permission issues were fixed. We're aware of a couple other moderator permission issues that may not have been fully addressed yet.