crazybrad
Posts
-
"Backup failed" email notification -
passwordless.dev@adisonverlice2 Happy to share the Yubico presentation. I just checked and the slides have not been posted yet. I will check next week.
-
passwordless.dev@adisonverlice2 @necrevistonnezr Thank you both for posting about this. I just returned from an API conference and a presenter from Yubico was advocating for adding passwordless. If/when I received the slidedeck, I will share some resources he mentioned. But I think that Bitwarden is an excellent approach and for most of us, 10,000 users per month will not be an issue. On the other hand, I could buy a lot of Cloudrons and Auth services if I had 10,000 users...
-
Is it possible to use a 3rd party antivirus ?@girish I hadn't considered IMAP folders vs. a generic drive folder. Both could be interesting.
-
Is it possible to use a 3rd party antivirus ?@d19dotca We have successfully used Cloudmersive's API. That being said, they dropped the ball on a bug we reported and we had to implement a workaround. But other than that, it has worked well for us. When users upload a file via browser, we quarantine the file and if it scans clean, we move it into a user's personal storage.
Multiple languages are supported with API libraries. We chose to integrate using cURL to reduce dependencies.
@girish I don't know whether a "listener" process could be attached to Cloudron folders when a file was added or updated and then virus scanned via API before allowing user access. But this could get expensive for servers processing lots of files/attachments as only 800 monthly scans are free.
-
Ubuntu Security Updates Inside Docker Images@girish Thanks for the complete and thorough explanation. I guess I was fooled by the apt update I saw in one of your docker image definitions (thinking that others would be following your best practice). If you are comfortable with the risk/reward balance then I am comfortable:)
-
Ubuntu Security Updates Inside Docker ImagesI was looking at the Git repo for creating docker images and trying to understand how Cloudron applies security updates to underlying docker images.
It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?
What happens for "stale" apps? For example, an app that has not been updated in 3 months or longer? Is that docker image missing 3 months of Ubuntu security updates? There are other apps that have been removed from the App store but if previously installed on someone's Cloudron, they can continue to use the app. The app might have a really old Ubuntu code.
Can stale or discontinued apps have their Ubuntu core updated inside the docker image?
-
Vaultwarden - Security Enhancement Tip@andreasdueren Good question. I don't know the answer. Is there something similar for Argon2id parameters?
-
Vaultwarden - Security Enhancement Tip@LoudLemur I can answer some of your questions. Yes, Account Settings → Security → Keys will allow you to change either the KDF value or change the algorithm to Argon2id. These changes are for your entire account - so browser, desktop, smartphone app would all use the new algorithm/KDF value. I believe you need to log in again if you have an active login whilst changing the algo/KDF. OTP and passphrase I am not using just yet so I can't answer your question from experience. But since these settings are per user, I am tempted to create a test user where I can try out Argon2id settings, and to your point, play with 1 or 2 OTP and passphrases and see the consequences. If they are fatal, then simply delete the user, rinse and repeat until I get it right.
-
Vaultwarden - Security Enhancement Tip@nichu42 I was going to ask the same. I don't have any insights but would be interested in this as well. In the interim I am going to ask some colleagues who are more involved in network security.
-
Vaultwarden - Security Enhancement Tip@infogulch Looks like you are right. I checked one of my VW backups and searching for the unique KDF iterations revealed that it is in fact stored in the database. So the information I read after the LastPass breach was incorrect suggesting that a random value of similar size provided more protection that just using the default value.
As I recall the default value at that time was 100,000 and OWASP was suggesting a much larger number. In fact some long time users had much smaller KDF iterations, making the hacking effort minimal.
So it looks like OWASP recommendation should be the minimum KDF iterations and to @girish question earlier, perhaps increasing the value based on your own hardware devices in sensible increments.
Thank you @infogulch for correcting my misinformation. But since my random # was higher than 600,000, I'm keeping it:)
-
Vaultwarden - Security Enhancement Tip@jdaviescoates No problem. Here is the reference to PBKDF2, but the rest of the "cheat sheet" is worth reading as well: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
-
Vaultwarden - Security Enhancement Tip@girish Great question. I'm not sure I have an answer. I think it depends on the devices you are using Bitwarden/VaultWarden on. The more CPU/RAM available, the less sensitive you will be to a higher KDF. I did use 900K+ after the LastPass compromise and I did notice at times LastPass was slow. I think the recommendation of increasing in ~100K increments is wise so if VW becomes slow, you can back off the last increment.
-
Vaultwarden - Security Enhancement TipI wanted to share some information acquired from the school of hard knocks...
Background: I found that VaultWarden uses PBKDF2-SHA-256 as its default encryption with 600,000 iterations. One thing I discovered from security experts after being one of the many unlucky LastPass customers (victims of a hacking incident) was an added vulnerability in that everyone had the same number of KDF iterations based on default installation values. While VW's 600,000 is far greater (and better because it requires more calculation resources) than my LastPass default setting, it is unfortunately the same for everyone - unless you change that:)
Suggestions:
-
Set a random value > 600,000 for the # of KDF iterations - Account Settings | Security | Keys. Setting a value too high can make VW a bit unresponsive, so increase sensibly based on VW's suggested increments.
-
OWASP publishes a recommendation on the # iterations for PBKDF2 encryption . Check periodically to make sure your value is equal to or greater than their recommendation.
-
Note: Each user will need to change this setting for their account.
Benefits: A random KDF means a hacker has many more possible combinations to try. With any luck they will move on to an easier target. Staying at or above OWASP recommended iterations makes sense as well.
Hope this helps.
-
-
ActiveSync / Push Notifications for Cloudron Mailserver@girish Seems like the package dependencies are all PHP related (php php-cli php-soap php-mbstring php-imap libawl-php php-curl php-xml php-ldap). I searched on one of my Ubuntu 22.04 LTS instances and all packages were available. I don't have Ubuntu 23 so I can't check that version specifically. Given these are fairly standard libs I would hope they will be available in subsequent Ubuntu releases (23+). FYI, installation details are here for Ubuntu 22.04: https://github.com/Z-Hub/Z-Push/wiki/Installation#Z-Push-on-Ubuntu-2204.
-
ActiveSync / Push Notifications for Cloudron Mailserver -
ActiveSync / Push Notifications for Cloudron Mailserver@girish Did Z-Push ever make the final cut for the App Store? Since Zopano stopped supporting this, a new maintainer has emerged (https://kopano.com/blog/z-push-has-a-new-home-and-a-new-maintainer/) and Z-Push appears to have been updated to PHP8+ which is encouraging. @fbartels In searching for z-push I even found an old docker repo you were playing with 9 years ago! This could be a very powerful option for Cloudron email with ActiveSync as an alternative to Exchange/O365. Any interest in pursuing this?
-
fido2support@adisonverlice2 We have a proprietary application (not hosted on Cloudron). I have considered using Cloudron as the single source of authentication truth, but for various reasons, I will likely not go in that direction.
-
fido2support@adison +1 for passwordless.dev. Looks really interesting. We have been considering implementing passwordless in one of our applications and their generous user allowance makes a powerful business case. Seems to fit the Cloudron culture as well.
-
Versioning Software for Images?@LoudLemur Personally, I would use a file storage platform like Box.com. As soon as you save a file locally, it "syncs" up to the cloud and once there, any collaborators will receive the downloaded version via "sync" to their machine. In the case of Box, they have an upgrade feature called Governance, which never deletes a version. You can literally roll back to an image you had 2 years ago, make it current, and begin editing from there. From the web client, versions can be viewed, downloaded, and made current.