Question about Node security

[Scott Kingery]

After some poking around this forum I've been starting my tiddlywiki on my LAN with:

tiddlywiki .\mytiddlywiki --server 12864 $:/core/save/lazy-images text/plain text/html "myusername" "*MYsecretPassword" 0.0.0.0

It's cool because I can get to my wiki from anywhere on the LAN and works nice on Android and iOS because I can browse to the wiki without much other hassle.

Not too worried about security because the only one who knows about it is me. I am wondering how secure this is if it were on a larger LAN than my house?  Or maybe some port forwarding to get to my server from outside my LAN.

Thanks,

Scott

[Rob Hoelz]

Hi Scott,

So take everything I'm about to say with a giant grain of salt - a lot of this assumes that an attacker is very interested in your wiki!

If you were sitting in a café with your laptop connected to unencrypted WiFi and you were connecting to TiddlyWiki on your laptop from your phone, the contents of your wiki would be visible to anyone wanting to sniff traffic out of the air.  From a cursory look at the TiddlyWiki server code, it looks to me like TiddlyWiki uses basic authentication, which means one could easily derive your username and password from this traffic.  Without observing traffic an attacker would have a harder time, but I guess they could port scan to find open ports on your laptop and try to brute-force your username and password - assuming the network operator allows different WiFi clients to talk to each other.

Regarding port forwarding, you're in a similar situation - TiddlyWiki serves its traffic over HTTP, so anyone between the machine accessing your TiddlyWiki and your home router could sniff this traffic.

To fix packet sniffing, this is fairly easy to guard against (I'm not sure how technical of a background you have, so be warned - here be dragons!) - you could use an HTTPS reverse proxy like nginx with Let's Encrypt to provide a certificate to encrypt the traffic between your laptop or router and your Android/iOS device.

To protect against brute forcing, you would probably want some mechanism to deny a user after a certain number of incorrect tries, like fail2ban.

-Rob

[Jeremy Ruston]

Hi Scott

Just to add to Rob’s excellent answer that the upcoming TiddlyWiki 5.1.18 includes native support for serving over HTTPS. Sadly, hosting SSL services with a self-signed certificate requires some messing around to tell your browsers to trust the certificate, but once set up it does offer robust protection against network traffic snooping.

You can see the docs for the HTTPS support here:

https://tiddlywiki.com/prerelease/#Using%20HTTPS:WebServer%20%5B%5BUsing%20HTTPS%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-key%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-cert%5D%5D

There are of course still scenarios where it makes sense to put TW behind nginx or another proxy (eg defense again DDOS attacks).

Best wishes

Jeremy.

-- 
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To post to this group, send email to tiddl...@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/b6d80db9-1904-4190-b16c-418b7842b033%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Scott Kingery]

Thanks, Rob and Jeremy. Both answers make sense to me. The contents of the wiki I'm using to test this would put any attacker to sleep if they did see the traffic over the wire :) I'll probably try out the HTTPS features in the future if only to learn how it all works.

Thanks again for the explanation and links!

[PMario]

On Thursday, August 30, 2018 at 6:07:31 PM UTC+2, Scott Kingery wrote:

... The contents of the wiki I'm using to test this would put any attacker to sleep if they did see the traffic over the wire :)

Not really,

 - You may use the same or similar username for different other accounts.

 - I'm sure you use different passwords for different accounts. right?

 - The password length would be of interest.

    - Many humans are "driven by habit". So I could guess that your TW password isn't much longer than those you use for your other internet accounts

 - It would be interesting if your TW PW contains "special chars" ... If it doesn't your other PWs may be weak too.

 - Your username may contain an email address

    - e-mail addresses are always interesting.

 - ...

If only 1 of the above assumptions is true, sniffing your TW traffic will be of interest. ...

So I personally would _never_ fill out any forms, using unencrypted traffic in a public usable / viewable WiFi network!

Just my 2cents.

have fun!

mario

[Scott Kingery]

Mario,

You make a good point and thanks for your comments. Anyone putting an application online or accessing an application should take all of these comments to heart.

Scott

--
You received this message because you are subscribed to a topic in the Google Groups "TiddlyWiki" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tiddlywiki/nqwfoDDIDvs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tiddlywiki+...@googlegroups.com.

To post to this group, send email to tiddl...@googlegroups.com.
Visit this group at https://groups.google.com/group/tiddlywiki.

To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/d9be1265-8b44-4cec-8bd3-752e1e801058%40googlegroups.com.