2FA for all LDAP apps

Lonkle

@marcusquinn Haha, the only reason for that one million comment thread was because I constantly needed to reference back. I've actually got box down pretty well. And, hey, now a random live blog of me doing 1000 things wrong, and finally getting 1002nd attempt right exists in the world! I'll always get to go back and say "hey, that was my first attempt at learning docker, and cloudron." ️

What are the benefits of this Bitwarden connection with Cloudron?

marcusquinn

@Lonk Based on my policy suggestion above, assuming Bitwarden is installed and 2FA enforced:

Current flow:

1. Create a Cloudron User.
2. Create a Bitwarden User.
3. Create an Organisation called Users.
4. Create a Collection for each User, including just that User, with Hide Password and Read Only enabled settings.
5. Create a Bitwarden Login record containing said User Cloudron LDAP Login credentials.
6. Share said record with said User Collection.
7. Add all URLs to all allowed Cloudron Apps to said record.
8. User can now only login to those Cloudron Apps using the Bitwarden extension and can't see or know their Cloudron LDAP password as it is hidden and read-only..

Proposed flow:

1. Have a setting for each App that selects an available Bitwarden instance.
2. Complete the above steps from Cloudron to Bitwarden API.
3. Relax.

Lonkle

Let me mull this over and look into Bitwarden and I'll get back to you.

mehdi

Honestly, I do not like this idea.

It would be great to have it in an external script or something. But integrated into the Cloudron platform ? ... It seems too much of a hack, in my opinion.

fbartels

I agree with @mehdi. That workflow also comes with the downside that while the actual owner of the account does not know his/her own password, you (as the admin) actually now it yourself.

Rather enforce secure passwords and rotate them regularly (in addition to encouraging users to use password managers).

mehdi

@fbartels said in 2FA for all LDAP apps:

and rotate them regularly

(Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security, rather than enhance it : if encourages users to chose simpler passwords, because they're gonna have to remember more passwords)

girish

@mehdi said in 2FA for all LDAP apps:

Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security

This seems to be one of those counter-intuitive ideas. I had no idea it actually lowers security.

Lonkle

I never realized it, but on sites that make me change the password periodically, I totally do keep making them simpler because it's confusing even with password managers cause they mess up saving passwords a lot on password reset pages.

marcusquinn

@Lonk yeah, I hate those forced password changing policies, they are a security risk in themselves as they just increase the likelihood of a keystroke logger being able to capture.

I wrote more on the subject of password security for our team policy here:

https://brandlight.org/h/policies/password-security-policy/

And my thoughts on Security here:

https://www.marcusquinn.com/security/

Hopefully something of interest there to those with similar responsibilities for data security.

Lonkle

@marcusquinn Security has become my newest point of interest in the programming world - amazing how ridiculously insecure things were even 15 years ago.

marcusquinn

@Lonk agreed, and misinformation and information-overload cause a lot of vulnerabilities for people that don't know what we do, and even we find difficult to truly solve. Steps in the right direction though.

marcusquinn

What most people don't realise is that all the add-ons, extensions and social-logins would once have been considered trojans for the snooping capabilities they have.

I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

So, it doesn't matter how good my security is, we all rely on the security of everyone we are connected to.

jdaviescoates

@marcusquinn said in 2FA for all LDAP apps:

Next time I look at Twitter the first ad is for a Nespresso machine.

I only ever look at Twitter through Firefox with ublock origin installed, so don't see ads on there.

The UX is a bit shit in the mobile browser (especially since recent Firefox update, ironically), but that helps me to use it less on my mobile!

marcusquinn

@jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.

jdaviescoates

@marcusquinn see also Nitter and similar apps for accessing other platforms.

jdaviescoates

@marcusquinn said in 2FA for all LDAP apps:

I deleted the Facebook app a long time ago

I never even installed it as it asked for such a ridiculous number of permissions.

marcusquinn

@jdaviescoates Nice. will try. Been looking at https://jarvee.com/ - maybe of interest in a similar API access approach but more for data-mining and marketing.

mehdi

@Lonk said in 2FA for all LDAP apps:

amazing how ridiculously insecure things were even 15 years ago.

I think people are going to think the same 15 years from now ^^

mehdi

@marcusquinn said in 2FA for all LDAP apps:

I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.

I think it's just a coincidence ^^ There is no reason to think ad companies are literally listening to you 24/7 : it's too costly from a computing power standpoint, so not worth it.

What they're doing is "just" knowing everything else about you : who you're talking to, what your looking at online, what are your interests, your age, where you live ... And based on that, they can just guess that you may be interested in coffee machines.

(Which, if you ask me, is even scarier that being listened to ^^)

marcusquinn

@mehdi I think more likely the person I was talking to had been searching for coffee machine related recently.

I hear a lot of the claims that you'd be able to see the bandwidth if audio was going to central servers but with the computing power in phones I'm pretty sure they can do the local transcription and just send the data encoded for minimal footprint.

It mostly appears to be contact cross-referencing interests but given that any big ad network could acquire data by proxy from a chain of apps to keep their distance from the actual spyware themselves, I'm just increasingly aware of coincidences.