Disappointed by lack of security
Disappointed by lack of security
BarryK Tuesday 15th August 2017, 19:15:43Really like the look of this blog. Easy to install, simple to use. I am evaluating it here:
http://easyos.info/forum/
My previous blog was a derivative of PPLOG, a perl script. Well, it still exists:
http://barryk.org/news/
About a year ago, I had to disable comments, as someone attacked my site, posting comments with pornographic links. We implemented various measures in the perl script, but the person persisted. He/she took the time to enter the captchas and got around other barriers.
Flatboard is like our original PPLOG script, just a simple captcha. But it did at least record a username and prevent anyone else from using it. That is quite easy to implement. Quite frankly, your system of username#password is ridiculous. If I post as BarryK#ajd74823e and someone else posts as BarryK#85436es, how are readers expected to remember my hash-code, they will think the second poster is me. So, ridiculous system. You could have just remembered the first poster to use "BarryK" and make that unique. I can then post with BarryK#mypassword, and only BarryK will display, and no one else will be able to use "BarryK".
However, the real problem is there is no protection against spammers. Yes, the captcha will deter auto-spamming, but there are many villains out there who will personally spam a site.
What they want is to get lots of links hidden away in your forum. If they post comments to old posts, will you see that on the front page?
There has to be some kind of identification of the sender. I recently evaluated HTMLy blog, which uses Google or Discus to handle the comments. That works quite well.
Or, implement email verification before accepting a post. Unfortunately, we did that with PPLOG, an automatic email verification system, with blacklisting of email addresses. However, the spammer used throw-away email addresses, a different one each time.
There would have to be manual verification.
Blocking by IP address also does not work, as that can be spoofed.
I will leave Flatboard on my site for as few days, but it has to go unfortunately, unless you have something under development that will improve security, or there is a plugin that I overlooked.
http://easyos.info/forum/
My previous blog was a derivative of PPLOG, a perl script. Well, it still exists:
http://barryk.org/news/
About a year ago, I had to disable comments, as someone attacked my site, posting comments with pornographic links. We implemented various measures in the perl script, but the person persisted. He/she took the time to enter the captchas and got around other barriers.
Flatboard is like our original PPLOG script, just a simple captcha. But it did at least record a username and prevent anyone else from using it. That is quite easy to implement. Quite frankly, your system of username#password is ridiculous. If I post as BarryK#ajd74823e and someone else posts as BarryK#85436es, how are readers expected to remember my hash-code, they will think the second poster is me. So, ridiculous system. You could have just remembered the first poster to use "BarryK" and make that unique. I can then post with BarryK#mypassword, and only BarryK will display, and no one else will be able to use "BarryK".
However, the real problem is there is no protection against spammers. Yes, the captcha will deter auto-spamming, but there are many villains out there who will personally spam a site.
What they want is to get lots of links hidden away in your forum. If they post comments to old posts, will you see that on the front page?
There has to be some kind of identification of the sender. I recently evaluated HTMLy blog, which uses Google or Discus to handle the comments. That works quite well.
Or, implement email verification before accepting a post. Unfortunately, we did that with PPLOG, an automatic email verification system, with blacklisting of email addresses. However, the spammer used throw-away email addresses, a different one each time.
There would have to be manual verification.
Blocking by IP address also does not work, as that can be spoofed.
I will leave Flatboard on my site for as few days, but it has to go unfortunately, unless you have something under development that will improve security, or there is a plugin that I overlooked.
Last modified by BarryK on Tuesday 15th August 2017, 20:18:00
Replies 6
Good evening BarryK,
I can understand that with the ease of use of Flatboard, you have a doubt about security.
You have to know before all, that I have set up several points to secure at best (you can always do better) Flatboard.
To begin with, a key is generated during the installation of Flatboard, which guarantees a unique hash on user names in each new installation.
Unless you know this key, it is therefore impossible to have the same hash on its username, even with an identical password, on another installation.
Then on each form, there is a system of token also unique and automatically generated.
I recommend using a custom image instead of identicon that is generated and remains the same, based on the name with the hash.
So there is the last point to validate by the user, the captcha. The latter goes in addition, I have provided another one to allow time to modify the key that generates the captcha.
Without forgetting that the answers and the login page, there is a limit of 3 attempts, otherwise the form disappears for 3 minutes before you can try.
Finally, I soon add a plugin that allows to add a signature. The latter still allows to personalize well its identity and that of the other users who wish to have a signature.
However, Flatboard will not be able to do anything for those who want to post
anonymously and without a password (MyPseudo # Password).
It is for this reason that I precise it in the help of the Trip field.
I can understand that with the ease of use of Flatboard, you have a doubt about security.
You have to know before all, that I have set up several points to secure at best (you can always do better) Flatboard.
To begin with, a key is generated during the installation of Flatboard, which guarantees a unique hash on user names in each new installation.
Unless you know this key, it is therefore impossible to have the same hash on its username, even with an identical password, on another installation.
Then on each form, there is a system of token also unique and automatically generated.
I recommend using a custom image instead of identicon that is generated and remains the same, based on the name with the hash.
So there is the last point to validate by the user, the captcha. The latter goes in addition, I have provided another one to allow time to modify the key that generates the captcha.
Without forgetting that the answers and the login page, there is a limit of 3 attempts, otherwise the form disappears for 3 minutes before you can try.
Finally, I soon add a plugin that allows to add a signature. The latter still allows to personalize well its identity and that of the other users who wish to have a signature.
However, Flatboard will not be able to do anything for those who want to post
anonymously and without a password (MyPseudo # Password).
It is for this reason that I precise it in the help of the Trip field.
Last modified by Fred on Tuesday 15th August 2017, 20:02:00
- Before ask a question, read the documentation.
- 🎉 Featured as #1 product of the day on Product Hunt
- Please like in alternativeto.net 👍🏻
- ╰☆╮Flatboard╰☆╮ is a open source and community contributions are essential to project success!
- <TextField>, my new CMS project designed by a passionate developer, for developers!
- My last project Fast⚡︎CMS, a Flat-File cms.
- I am currently busy 😫.
Why don't you just assign an avatar to "BarryK"?If I post as BarryK#ajd74823e and someone else posts as BarryK#85436es, how are readers expected to remember my hash-code, they will think the second poster is me. So, ridiculous system.
This script derived from Goo, which was based off a textboard script and I believe its vision is to still maintain the anonymity. If you want something that saves usernames with Hash, try nononsense forum script.You could have just remembered the first poster to use "BarryK" and make that unique. I can then post with BarryK#mypassword, and only BarryK will display, and no one else will be able to use "BarryK".
Last modified by hmmy on Tuesday 15th August 2017, 20:17:00
I am BarryK, testing anonymous post.
Ah, I see, yes, if I have an avatar, then people would know it is me.
But, someone else could use the same image.
I know that I am being difficult, posing worst-case scenarios. But someone could pretend to be me, with same BarryK and use the same png image, of course with a different name. I guess then, the forum moderator could intervene.
Ah, I see, yes, if I have an avatar, then people would know it is me.
But, someone else could use the same image.
I know that I am being difficult, posing worst-case scenarios. But someone could pretend to be me, with same BarryK and use the same png image, of course with a different name. I guess then, the forum moderator could intervene.
Only the administrator or moderator with access to the server, studies the images to be sent.
You now have the signature plugin, allowing to further customize your identity.
Your question therefore arises not on safety, but on identity theft.
You now have the signature plugin, allowing to further customize your identity.
Your question therefore arises not on safety, but on identity theft.
Last modified by Fred on Wednesday 16th August 2017, 14:17:00
- Before ask a question, read the documentation.
- 🎉 Featured as #1 product of the day on Product Hunt
- Please like in alternativeto.net 👍🏻
- ╰☆╮Flatboard╰☆╮ is a open source and community contributions are essential to project success!
- <TextField>, my new CMS project designed by a passionate developer, for developers!
- My last project Fast⚡︎CMS, a Flat-File cms.
- I am currently busy 😫.
There's also a user admin span for admins / mods which color the names differently.
Fred,
This brings up a good idea for a plugin. The plugin could add the Pseudo (including trip) as a user span. Then in the admin menu you can add a css to the username similar to the tag feature flatboard has. Then someone like BerryK could make users as "Verified" or change his name how he would like. Thoughts?
Fred,
This brings up a good idea for a plugin. The plugin could add the Pseudo (including trip) as a user span. Then in the admin menu you can add a css to the username similar to the tag feature flatboard has. Then someone like BerryK could make users as "Verified" or change his name how he would like. Thoughts?
Last modified by Fred on Saturday 19th August 2017, 14:31:00
- Before ask a question, read the documentation.
- 🎉 Featured as #1 product of the day on Product Hunt
- Please like in alternativeto.net 👍🏻
- ╰☆╮Flatboard╰☆╮ is a open source and community contributions are essential to project success!
- <TextField>, my new CMS project designed by a passionate developer, for developers!
- My last project Fast⚡︎CMS, a Flat-File cms.
- I am currently busy 😫.
Suggested Topics
Alexander
started solved Uncaught TypeError: Cannot read property 'replace'
Bug reports
cborne#11fae1
started 🇫🇷 Installation du 2 mai
International Discussions
Fred
started Flatboard 2.5 PARIS is here!
Announcements
eli@31e26baf
started Is there support for IFRAME embeds?
General Questions