You are not logged in.
- Topics: Active | Unanswered
#51 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-16 15:48:20
- MattF
I think having a section in your profile showing your current logged in sessions, and the last access time (and potentially even IP/user-agent)
Possibly leaking personal information is a good measure nowadays then?
#52 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-16 15:40:46
- MattF
Matt, you are wrong. There is a huge difference between hashing multiple times and just doing "something safe" once. I'm sure Smartys or Reines will explain.
I'm not incorrect, I'm merely working along sensible lines. There is a point where supposed security is there for the mere sake of it, which I'll go into further after Jamie's post below.
The theory behind it is to slow down the process.
Using simply a hash, it can be attacked using rainbow tables. Adding in a salt makes that impossible, but it can still be brute forced. With todays hardware (4x AMD HD 5970s) up to 33.1billion MD5 attempts per second can be made (with that, an 8 character a-z password can be cracked in 6 seconds...). sha1 and sha256 are slower than MD5, but brute forcing a weak password is still not hard. By iterating the hash X times you are slowing down brute force attacks by a factor of X, however someone logging in isn't going to notice the extra few ms added to their request. By simply using 4096 iterations that 6 seconds becomes nearer 7 hours.
Right. You have three possible scenarios that jump to mind offhand, (granted, there are probably far more).
One: Someone is flooding the login page with possibilities. Flood protection is far more sensible and useful than making them take N months to decrypt a password. Your password is safe but we'll just D.O.S the server.
Two: Your database has been compromised. A securely hashed password in this scenario is going to help how, exactly? Again, it's polishing a turd. If someone needs excessive levels of hashing, the mere fact that they know that also means that they will have the abilities to implement that.
Three: Some form of snooping. You think they're not going to crack the password at their leisure if they're that bothered about accessing that account?
If I'm missing some point about exactly what benefit an anal level of hashing will achieve, I'll happily digress once it's pointed out.
By session I mean the idea that when you log in, a session ID is generated and used (stored in a cookie) to identify you. My thought would be against using the built in PHP sessions, as they store session data in flat files IIRC. Instead it would be nice to just store the session IDs and associated data in the online table in the database.
You can alter the session_save_handler to use a custom storage format, including the DB. Personally, I find a mix preferable. The inbuilt PHP session system for creating and destroying the sessions etc, but not relying on the session cleanup functions alone or on the stability of the session system, (it's quirky/buggy). The session functions create and destroy, but then control the information as you always have done.
That really annoys me when sites do that. I switch between my desktop, laptop, phone, and work PC quite a lot, at least between my desktop, and work PC every day. If I had to re-login every single time it would be incredibly annoying.
All of the obsessive server side security measures are going to help how, the first time some numpty steps away from his desktop to browse on another machine whilst not locking the machine? Smart move. Go anal on password security and then leave all of the barn doors wide open once someone enters the barn, because we all know how normal users are so security conscious that they wouldn't possibly do a trick like that.
#53 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-16 14:49:34
- MattF
Can't personally see the use in multiple iterations. It's akin to polishing a turd. Do it right first time, in the most secure manner accessible. After a point, you're just hashing for the sake of hashing. Something like this should be ample:
function generate_hash($salt, $content, $algo = false)
{
$hash_algos = hash_algos();
if ($algo && in_array($algo, $hash_algos))
{
return hash($algo, $salt.hash($algo, $content));
}
else if (in_array('sha256', $hash_algos))
{
return hash('sha256', $salt.hash('sha256', $content));
}
else
{
return sha1($salt.sha1($content));
}
}Algorithm configurable with fallback to older methods if necessary. If someone is willing to put the time and effort into decoding passwords generated with that, you probably ain't going to stop them period.
In the past FluxBB has always used a combination of user_id and password_hash in a cookie to authenticate a user. I would quite like to change this to a session based system (as in the concept of sessions, not PHPs session_start() stuff...). A few things come to mind:
Will you be using PHP sessions or won't you? The above is unclear. If not, what do you class as a session?
The password is no longer stored client side - after the login it's gone, less chance of it being stolen I guess?
Common sense approach.
How secure is using a session ID to authenticate? Presumably if we used a 160-bit session ID, then it's no less secure than a SHA1 hash of... anything.
Not sure what you mean by that?
Using sessions would allow us to store a list of sessions in the online table, rather than simply user IDs, meaning users could see exactly how many times they are currently logged in (like gmail and some other things do).
Why would a user need to be logged in more than once? IMHO, they login from elsewhere, you ditch their previous session.
This would allow a session to be forcefully expired by the server if needed (imagine you left a public PC logged in - you could simply log in at home and choose to terminate that session).
That should be the default setup. Expired by both a configurable time period and/or the user logging in from elsewhere, whether that be merely a different UA on the same machine or a completely different physical location.
Users could easily see if their account was compromised.
How? I think seeing someone in the online list under your username or posts appearing which you never created would be a giveaway no matter what the base system inplace. That's a moot point, IMHO.
#54 Re: FluxBB discussion » Meta tags for the homepage » 2010-12-16 00:20:06
- MattF
Very. The content of that is the primary heading/link shown by the search engines above the description, as a rule. You want to keep it succinct, but something a tad more than just FluxBB would be good. 
Something like:
FluxBB - A compact and optimised forum system
or similar would give people a good first glance notion without drawing it out/elongating it too much.
Btw, you really do want to change that paragraph on the homepage. This:
FluxBB was designed as
really should be:
FluxBB is
The former makes it sound as if that's what you intended but it might not have gone that route, whereas the latter doesn't allow any suggestion of may or may not. It merely is.
#55 Re: FluxBB discussion » Meta tags for the homepage » 2010-12-15 20:09:42
- MattF
Wrong tag. If you're going to supply keywords, use the keywords tag. Description is supposed to be exactly that, a brief description of the current pages content. If there is no description as such, make up a proper description for the homepage, along the lines it is now. Personally, I'd use the, (corrected), contents of the first paragraph on the homepage:
FluxBB is a lighter, faster alternative to some of the traditional feature heavy forum applications. It is easy to use and has a proven track record of stability and security, making it an ideal choice of forum software for your website.
Using that, you're giving someone all the information they need to form an instant decision about the site/software, if the search engines do decide to use that description in their listing.
#56 Re: FluxBB discussion » FluxBB - reasons why..? » 2010-12-15 19:17:12
- MattF
Pretty much the same reason as Reines. Simplicity. It's a compact core system upon which to build, without having to remove tonnes of unnecessary cruft.
Tried MyBB recently, to see what all the hype is about. Bloody hateful system, IMHO. Inconsistent logic, an admin panel which can make one weep and a, (at that time), lead Dev, (who has recently parted ways with MyBB), who could swear blind that a bug wasn't a bug and a community which is unusual, to say the least. I'd still go with Flux any day of the week.
#57 Re: General support (1.4) » PunBB 1.3 to FluxBB 1.4 » 2010-12-15 00:30:36
- MattF
Aye, the trustworthiness is a hard one to judge on freelance work. That's one of the main reasons I've personally avoided that type of work. Between unrealistic expectations, horrendously bad plans that people draw up and expect someone to decipher and the whole trust thing, it seems to be a case of toss a coin and hope.
#58 Re: General support (1.4) » PunBB 1.3 to FluxBB 1.4 » 2010-12-14 16:28:44
- MattF
Are there any viable, (less arsey), alternatives to them? What payment method do you generally insist upon these days?
#59 Re: General support (1.4) » PunBB 1.3 to FluxBB 1.4 » 2010-12-14 16:13:34
- MattF
That's a bugger for you mate. Unfortunately, there are all too many nobs like him/her knocking about.
#60 Re: General discussion » Why not GNU Affero GPL? » 2010-12-07 15:05:50
- MattF
To strip it down to the basics, the licence doesn't make a monkeys difference as to whether someone will contribute back or not. The only difference it would make, in reality, is putting potential users off.
Around 95% of people who use software will never have the faintest idea how to code for it. Of the other 5%, (these values are approximations, before anyone asks for data sources), who can code, they know exactly what they're doing. If they intended to give back, they would do so regardless of licence. If they have no intention of, they won't, regardless of licence.
The only thing that would happen is that the Dev team would practically need to devote one members time to chasing down all infringements. Hell of a way to waste a Dev's time, in my book. GPL is fine. Even that's too restrictive, IMHO.
#61 Re: Modifications (1.4) » frontpage portal for 1.4 » 2010-12-05 16:13:54
- MattF
Wondered how long it would be before you noticed this thread. Yes, with modification. You added pagination to the old one, didn't you? Should be very little difference between what you had to do with that compared to what you'd need to do with this one. Just alter that $limit var as necessary via the GET vars and use the pagination function.
Edit: If I get a chance, I'll have a look at adding it. Wouldn't bank on me getting the chance though.
#62 Re: FluxBB discussion » E-mail auth question. » 2010-11-18 21:58:11
- MattF
Ah. I thought the ticket system was for intended changes only. I'll get one added.
Edit: Have I done it correctly?
#63 Re: FluxBB discussion » E-mail auth question. » 2010-11-18 21:41:58
- MattF
Add a ticket? Like I've any idea how to... I've popped it up here so that one of you Dev's can decide whether to even bother with it or not. I'll leave the ticket honours to one of you if anyone considers it even worthwhile adding, (assuming the patch even works, that is ).
#64 Re: FluxBB discussion » E-mail auth question. » 2010-11-18 19:04:48
- MattF
Just on a tanget, another thing that might be worthwhile incorporating into the email script? If a 55* code is returned for a recipient, would it not be worthwhile adding an active/inactive column to the user table and toggling that on a 55* response so that no e-mails are sent to that address again? If a site has a lot of users with invalid addresses, constant attempts to send to those addresses could theoretically end up with a system being blacklisted, tarpitted or similar. If an address receives a 55* at any time, it's a good bet it will do so always. It is supposed to be a permanent response, after all.
#65 Re: FluxBB discussion » E-mail auth question. » 2010-11-18 17:48:52
- MattF
Untested and wants checking over for glaring omissions/errors or suchlike, (I must have overlooked something ), but here's a diff which should theoretically provide CRAM-MD5, (checking for and using LOGIN if CRAM not available), auth and also check and fallback to SMTP if ESMTP isn't supported.
#66 Re: FluxBB discussion » E-mail auth question. » 2010-11-18 17:15:03
- MattF
I'll see what I can knock together then. Might be a good opportunity to do a fallback to non-ESMTP mode too if EHLO isn't supported.
#67 FluxBB discussion » E-mail auth question. » 2010-11-18 16:23:46
- MattF
- Replies: 9
Just out of curiosity, is there any specific reason why only AUTH LOGIN is used in the e-mail class rather than checking for, (and using as the preferred option if available), CRAM-MD5? Just seems to be the preferable of the two options if SSL isn't being used for the connection.
#68 Re: General support (1.4) » Trouble installing » 2010-11-18 02:01:01
- MattF
Bearing in mind that I'm not familiar with MySQL, other than username or password being incorrect, the only other thing which springs to mind is connections from localhost not being allowed in the conf file.
#69 Re: General support (1.4) » Trouble installing » 2010-11-18 01:54:28
- MattF
Try the I.P: 127.0.0.1
#70 Re: Modifications (1.4) » frontpage portal for 1.4 » 2010-11-16 01:10:36
- MattF
No idea. One of the others will need to guide you on that point. I can't remember a lot of the finer points of the Flux code. I was merely cleaning up that 'just usable' abortion of a script up from the first post for future use.
Edit: In fact, I'll post the new code on here to make sure there's a permanent copy on here:
<?php
/**********************************************************************/
define('PUN_PORTAL', 1);
define('PUN_ROOT', './');
define('PUN_QUIET_VISIT', 1);
require PUN_ROOT.'include/common.php';
define('PUN_ACTIVE_PAGE', 'index');
$page_title = array(pun_htmlspecialchars($pun_config['o_board_title']));
define('PUN_ALLOW_INDEX', 1);
require PUN_ROOT.'header.php';
require PUN_ROOT.'include/parser.php';
/**********************************************************************/
function pun_news($fid = false, $limit = false, $length = false, $truncate = false)
{
global $lang_common, $db, $pun_config, $db_prefix;
$output = '';
$order_by = 't.posted';
$max_subject_length = 30;
$fid = (($fid) ? 'f.id='.intval($fid).' AND ' : '');
$limit = ' LIMIT '.(($limit) ? intval($limit) : 25);
$max_content_length = (($length) ? intval($length) : 500);
# Fetch the topics.
$result = $db->query('SELECT p.message, t.id, t.poster, t.subject, t.posted, t.last_post, f.id AS fid, f.forum_name FROM '.$db_prefix.'topics AS t INNER JOIN '.$db_prefix.'posts AS p ON p.id=t.first_post_id INNER JOIN '.$db_prefix.'forums AS f ON t.forum_id=f.id WHERE '.$fid.'t.moved_to IS NULL ORDER BY '.$order_by.' DESC'.$limit) or error('Unable to fetch topic list', __FILE__, __LINE__, $db->error());
if ($db->num_rows($result))
{
while (($cur_topic = $db->fetch_assoc($result)))
{
if ($pun_config['o_censoring'] == '1')
{
$cur_topic['subject'] = censor_words($cur_topic['subject']);
}
if (pun_strlen($cur_topic['subject']) > $max_subject_length)
{
$subject_truncated = trim(substr($cur_topic['subject'], 0, ($max_subject_length-5))).'...';
}
else
{
$subject_truncated = $cur_topic['subject'];
}
$output .= '<div class="block">'."\n".'<h2><span>'.pun_htmlspecialchars($subject_truncated).' - '.gmdate('l, d F Y', $cur_topic['posted']).'</span></h2>'."\n\t".'<div class="box">'."\n\t\t".'<div class="inbox">'."\n\t\t\t".'<p><a href="'.$pun_config['o_base_url'].'/viewtopic.php?id='.$cur_topic['id'].'&action=new" title="'.pun_htmlspecialchars($cur_topic['subject']).'">'.pun_htmlspecialchars($subject_truncated).'</a> - <em>Posted by '.$cur_topic['poster'].' at '.gmdate($pun_config['o_time_format'], $cur_topic['posted']).'</em></p>'."\n\t\t\t";
if ($truncate == 1)
{
if (pun_strlen($cur_topic['message']) > $max_content_length)
{
$max_content_length = strpos($cur_topic['message'], ' ', ($max_content_length-15));
$cur_topic['message'] = substr($cur_topic['message'], 0, $max_content_length).'...';
}
}
$output .= parse_message($cur_topic['message'], 0)."\n\t\t".'</div>'."\n\t".'</div>'."\n".'</div>'."\n";
}
print($output);
}
}
/**********************************************************************/
pun_news(1, 5, 500, true);
require PUN_ROOT.'footer.php';
/**********************************************************************/
?>#71 Re: General support (1.4) » Google Analytics and FluxBB » 2010-11-14 15:32:19
- MattF
Add it to the primary template, (include/template/main.tpl).
#72 Re: General discussion » topic francais » 2010-11-14 15:30:57
#73 Re: Show off » Flux sites » 2010-11-14 11:46:02
- MattF
I came across this yesterday: http://chrispederick.com/forums/, my favorite Firefox extension.
I use that addon too. Handy piece of kit.
#74 Re: General support (1.4) » Hide an additional menu from guests » 2010-11-14 11:43:36
- MattF
It's correct. The is_guest is preceded by !, hence specifying that if is_guest false, continue. This one is wrong though:
- Show only to mod/admin: if (!$pun_user['is_admmod'])Should be:
- Show only to mod/admin: if ($pun_user['is_admmod'])#75 Re: Show off » Flux sites » 2010-11-13 17:40:11
- MattF
Xfce have switched to Flux from SMF.