security guideline for documentation #8232
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
c: Website matomo.org
For issues related to our matomo.org website.
Milestone
I read more and more insecure recommendations in documentation.
I guess the whole documentation needs to be assessed in terms of security.
In respect to software deployment, there's few basic rules that seem important to me:
On Piwik documentation, it already starts insecure: http://piwik.org/docs/installation/#getting-started
I would like to read something about SSH here. Even FTPS has limitations (potentially just encrypting credentials). And there's a difference to SFTP/SCP.
Yes, MITM brings his virus in and we install it on our webservers. With https, this would be ways more secure. Users would not even notice it. HTTPS-Version https://builds.piwik.org/piwik.zip is already available, so why not use it? Just add an "s"...
Not just faster, also ways more secure! But wait, why not download piwik directly from the webserver via shell using a secured https connection? This could also be worked around with a tiny PHP script downloading and extracting the installation files if users don't have shell access (still not the best option as it has similar limitations as before).
Did we miss the integrity check? Where's the SHA-x/MD5-Hashsum I should check? Where can I get hashsums safely? Keep in mind MITM can also compromise MD5-hashsums when he can compromise a download. If the download link is http, then at least the hashsum should be https.
How is made sure, that most of the files are read-only in the context of the web server (www-data), if users want to update without the web frontend's automatic update. This looks ways too dangerous to me, anyways. Sure, people love it...
In many cases this is right. I'm just missing the information that empty passwords can be painful here.
Also consider #7519. You need a security guideline for documentation!
I'm sure we'd see great improvements in the code after that is done! (e.g. https-piwik-api instead of http-piwik-api in default config).
Don't get me wrong. The current documentation is always the easiest way for users, which is good in some way. But I guess most of them don't know what they do when following these recommendations. They should be warned at least if they do insecure stuff.
Now I'm also wondering how you work internally. Do you upload builds via FTP to the piwik web space?
Plus, security related documentation should be https-only. MITM could easily downgrade security level of documentation otherwise (at least if users expect valid https).
Always keep in mind that attackers will use every possibility as soon as they figure out how. E.g. attacks like https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html
Related: #1867 dating back to 2010...
The text was updated successfully, but these errors were encountered: