[pmwiki-users] One time passwords, anyone?
Petko Yotov
5ko at 5ko.fr
Fri Aug 21 10:27:10 CDT 2015
On 2015-08-21 11:51, Oliver Betz wrote:
> does anybody use one time passwords with PmWiki?
I don't.
> To access private pages from foreign (untrusted) machines or networks,
> it would be a nice option.
>
> But I'm afraid that it is not simple to implement, correct?
Correct.
> With time based OTP like Google authenticator, one needs to keep track
> of used passwords to avoid replay attacks. Counter based OTP need to
> store the new counter value.
>
> With challenge/response systems, you need a suitable password
> generator on your mobile device.
Actually this can be easier/simpler: the wiki generates a one-time
password, stores in a server session file, and sends it via e-mail or
SMS to the user. The user has not left the wiki page (to keep the
session id), checks her e-mail or SMS and types the one-time password.
> And: Since PmWiki uses PHP sessions for authentication, is it
> vulnerable to session hijacking?
Yes, like any other software using session cookies (eg.: all of them).
If your wiki is accessible over HTTP and not https/ssl, anyone between
you and your wiki might possibly read anything that is sent in both
directions. This includes your home router, the switches and routers of
your local ISP, the switches and routers of your hosting provider and
the server where your wiki is.
In reality, it is not likely that someone at your home ISP would try to
steal session ids or passwords, but the risk should be estimated by you.
However, if you connect via a public open wifi hotspot, it is possible
that someone can read the data packets you send via radio waves, and
discover your passwords or session ids.
If a wifi hotspot is encrypted and you have to enter a WPA password like
at a café/restaurant/friend, then the link to the hotspot is protected
but if you connect to any website over HTTP not HTTPS, then the owner of
the hotspot/router can potentially store and read all data sent.
Even if you use TOR, anyone between the last TOR exit node and your HTTP
wiki can read the data -- and seeing your website, name, e-mail address,
can know exactly who you are.
If you connect via HTTPS, in theory only your browser and the server of
your hosting provider, where the wiki is, can know the data sent and
received[*]. That's why there are campaigns "HTTPS everywhere" and
"Let's Encrypt". I can only hope that when "Let's Encrypt" becomes
available, shared hosting providers will enable it for all their clients
at no cost, as these certificates are free of charge. (They would still
require a dedicated IP address but this can be IPv6, also free.)
Note that some hosting providers offer a "shared" ssl server to access
to your site, with a different address like
https://ssl2.ovh.net/~username/ (the European OVH provider) or
https://secure27.prositehosting.co.uk/username/ (FastHosts UK). This can
be free of charge or only enabled for some hosting plans. If you have
sensitive data, but cannot afford an SSL certificate with a dedicated IP
address, it is always better to use the secure server than your own
domain name.
Now, if one has to write a module sending a one-time-password via
e-mail, once again, your e-mail client should connect to the e-mail
server via an encrypted connection (ssl/tls). Most e-mail providers
allow such connections. If the connection to the e-mail servers is not
encrypted, it is exactly like the HTTP connection, can be read by anyone
on the network.
About the SMS, if the wiki sends the one time password, on some phones
the message is shown even if the screen is locked. Again, this may be
not sufficiently secure. Also, it is not always possible to send an SMS
to a phone via the web: some phone companies allow it with an
email-to-sms gateway or via a special API. Generally, to avoid spam,
this is either password-protected and must be enabled by the phone
owner, or it costs something like 0.12 EUR incl. VAT per message.
Petko
[*] Some companies have their IT departments install bogus SSL
certificates on every computer, laptop or smartphone, so that they can
log and store all data send by their employees or users. This is worse
than everything because the browser is tricked to connect to a website
by an incorrect certificate, and the data is decrypted by a device or a
program on the routers of the company, stored, then re-encrypted and
send to the server and back to the user. This is used in some schools to
check if pupils connect to illegal or pornographic websites, and to read
their Facebook posts. In some places they even require you to install
the company's SSL certificate on your own laptop/smartphone. :-( Brave
new world.
--
Change log : http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes : http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade : http://www.pmwiki.org/wiki/PmWiki/Upgrades
If this message helped you and saved you time, feel free to make
a small contribution: ♥ http://5ko.fr/donate-ml (mailing list).
More information about the pmwiki-users
mailing list