VNDB 2.23: A Security Update

Posted in

#1 by yorhel
2014-10-15 at 13:31
I've made a whole bunch of small incremental changes since the last "version", so in reality these version numbers don't mean a whole lot anymore. But I felt it time to do a version bump anyway.

I've just pushed out a security update that I should have implemented years ago. Namely, new passwords are now hashed with scrypt instead of the SHA-256 function that was used previously. In practice, this means that if the VNDB user database ever gets compromised (as was the case with MangaGamer recently), your updated passwords should be relatively safe. They were already somewhat safer than how many other compromised sites stored your passwords, because the hashed passwords have always included both a global and user-local salt. Still, if the salts are known, a password could be cracked. Even more so if your password itself isn't secure enough.

Note that this update only applies to newly hashed passwords. To make sure that your account is safe, do either of the following:
- Log out and log in again
- Change your password in your profile.

If you just stay logged in forever or if you never log in in the first place, your password will remain hashed with the less secure SHA-256.

Also, even with this update, please don't re-use the same password across different sites. VNDB still does not support HTTPS (I need to work on this...) so remember that your password is sent over the network in plain text when you log in or change your password. Better not use VNDB on a network you don't trust.
EDIT: We're on HTTPS now. But it's always good to follow the above advice regardless. :)

As usual, if I screwed up somewhere, please let me know. Send me a mail at contact@vndb.org if you have trouble logging in or creating an account or whatever.Last modified on 2014-11-03 at 07:54
#2 by yorhel
2014-10-15 at 14:10
Oops, I screwed up when copying over the configuration from my beta VNDB. That's what I get for not committing secret values to public version control.

If you've updated your hashed password per above instructions before I posted this message, please change your password now in your profile. Otherwise you'll have to use the reset password form next time you want to login. (You don't actually have to choose a different password, just spam your password in the profile form and hit the submit button)
#3 by cross
2014-10-15 at 14:14
Just to be sure, it hasn't been hacked yet, right?
#4 by yorhel
2014-10-15 at 14:16
Not that I know of.
#5 by hinoe
2014-10-15 at 20:02
You really should ask for the current password when letting the logged user change password, given so many people are always logged in and everything.
#6 by karharot
2014-10-15 at 23:52
I never use the same password on different sites but it is good that you increased the security. Unfortunately internet is full of people that cause harm just for the sake of harm and it would suck if someone started resetting personal lists or doing something else that would be a pain for the account owner.
So thanks for your work and your care for the DB and its users :)
#7 by yorhel
2014-10-16 at 11:56
I'm on a roll.

Another minor security fix: Session tokens are now hashed before being stored in the database. This ensures that, if someone manages to get read access to the database, he still won't be able to log into anyone's account.

You really should ask for the current password when letting the logged user change password, given so many people are always logged in and everything.
Yeah...Last modified on 2014-10-16 at 11:57
#8 by yorhel
2014-10-20 at 16:58
Another security update: I'm finally experimenting with HTTPS again. You can already browse VNDB over HTTPS: https://vndb.org/, but keep in mind that it's not really complete yet. You will probably get redirected to non-HTTPS again after filling out a form - I'll work on that.

I haven't decided yet whether to force TLS on everything and enable HSTS or to keep it as a side feature or to force it for logged in users or... etc. Feedback is welcome.

Oh, and it requires a DNS update. If you can't connect to the HTTPS version at all, it's probably because your DNS is behind. vndb.org now points to 94.23.145.1 and s.vndb.org to 46.105.138.82. This might take 24 hours.
#9 by hinoe
2014-10-21 at 07:44
Ooh, great!

Nice, pretty nice; thanks a bunch!

*writes a rule on HTTPS Everywhere to force it to work*
#10 by maou-jp
2014-10-22 at 12:09
Looking forward for the HTTPS!
Thanks Yorhel.

If I´m allowed to say, I would choose to force TLS everywhere.
#11 by yorhel
2014-10-22 at 13:15
Yeah, that's what I'm thinking of doing. It's the simplest thing to implement and also offers the best security. I'll wait some more to give the DNS some more time to propagate (geez DNS is slow) and then I'll add the redirects and stuff.
#12 by ds1150
2014-10-22 at 18:31
I definitely like to be able to use VNDB over HTTPS. Either optimal feature or enforced are both fine by me.

It seems to be running smooth for me so far. Will report back if I encounter any issues.
#13 by yorhel
2014-10-29 at 08:14
So there were some issues with DNS that should have been resolved now. As a test I've currently configured the server to redirect everyone to HTTPS. If this works out I'll enable HSTS and configure the cookies to only be sent over HTTPS.
#14 by freemen
2014-10-30 at 03:23
Strange things happening; i have two pc with the same version of firefox and the same settings, same os, but the first one doesn't show the images (neither pics or background), and the page is white and unformatted.

Tried clear the brower cache and restart the dns service; at one point i used fiddler that is http proxy debugger, and found that after loading the first page, firefox does no more connection of any tipe to vndb,org; it just load one single html file, then there are no more http/s requests to vndb.org until i restart the browser, where the problem repeat iself: first document is exchanged then no connection anymore.

Dom inspector doesn't help , while on the other machine vndb continue to work fine (same gateway, same dns).

At the moment i have no idea on what direction to search but i will made same more tests.

edit: deleted firefox profile, then firefox programeand reinstalled from scratch (manually cleared %appdata%), moved the proxy debugger to the other machine, still nothing; the old explorer8 that i never updated work fine with and without proxy debugger, and firefox on the other machine work; this is a complete nonsense, i have no logic to understand what'sappening or something is broking the connections, but only with vndb?? firewall disabled and antivirus enabled or disabled (but they're the same on both machines). Now searching in the dark........Last modified on 2014-10-30 at 03:41
#15 by yorhel
2014-10-30 at 07:10
@freemen: That's really weird. Have you tried waiting 5 minutes between page loads? Maybe it works if you give firefox some time to reset the connection and session state. That would still need to be fixed of course, but it might give some clues.
#16 by freemen
2014-10-30 at 20:24
First: i'm trying now and everything seem to work fine; the pc was hibernated between yesterday and today.

Next: now it's no more a problem, but yesterday i installed palemoon, it's a firefox fork that keep the interface an tools for who don't like the recent changes on firefox, it does create his own profile;
Palemoon had the same issue as firefox while today thy're both working fine;
i wonder what's happened..........
#17 by yorhel
2014-11-08 at 09:29
Alright, I've just enabled HSTS and configured cookies to be available only over HTTPS (i.e. enabled the "secure" flag). It's possible that this breaks login when your browser is sending an old insecure cookie and refuses to update it with the new cookie, just clear any VNDB cookies from your browser if that happens.
#18 by freemen
2014-11-08 at 10:34
No problem on login, just happened the same exact issue i had 3 posts ago; i'm trying to figure again what's happening.

edit:
Ispecting now using firefox developer tools, it seem that all documents that came from s.vndb.org has 0 bytes size so i wonder if the culpript is windows ittself since in the other pc i don't have the issue.

edit:
Found the problem, i can't pull any document via ssl from s.vndb.org because the date of my machine is too behind the date of the web server while this not happen with vndb.org so, the GMT/UTC time between the two server may be different while my pc has a total different one; now i'm trying to deal with timezone.

Ok, here the solution:
If you want to set a different time zone to get the games working but keep the correct offset between your pc locale and gmt/utc you must edit this keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

change the values of ActiveTimeBias and Bias , unit is minutes: use windows calculator in programmer mode and Dword size on left to convert the (negative) minutes offset to hexadecimal value.

gmt+0 put 0x00000000
gmt+1 put 0x0000003c (dec values is 60)
gmt-1 put 0XFFFFFFC4 (dec value is -60 minutes)

Also keep in mind that if you open the date/time panel anche change the timezione, those values will be overwritten.Last modified on 2014-11-08 at 12:46
#19 by freemen
2014-12-18 at 21:15
From a few days i fail logging in if i use a proxy; i must move to another machine to bypass the proxy and made a direct connection.

edit: i have some trouble understanding, looks like i'm logged in same pages and not logged in others; tried to clean the cache in both browser and proxy software but i had no success.
The problem disappear after a few days.........Last modified on 2015-01-01 at 18:31
#20 by temporaryuser
2015-03-13 at 07:25
Can you please add date based searching in Visual novel filters? Like we can set a range of dates and only VNs have atleast one release on that range will be shown. I think that would be a very good addition.Last modified on 2015-03-13 at 07:26
#21 by warfoki
2015-03-13 at 07:46
In that regard enabling cross-searching in between releases, VNs, characters and staff would be the perfect solution. I don't expect that to happen anytime soon, but one can dream...
#22 by temporaryuser
2015-03-13 at 07:52
i think that would just need one join statement
#23 by temporaryuser
2015-03-13 at 08:32
also i think addition of new section named 'related vns' will be a good plus. This section can be added under details page and will contain random Vns, sharing same tags.
#24 by temporaryuser
2015-03-13 at 08:34
plus we need to improve user ratings system e.g. include user reviews section where user can review a VN which will help other people. User review can also be upvoted and down voted by others.
#25 by nutellafan
2015-03-13 at 11:15
I would like to ask out of curiosity... If a review system gets implemented, would that also include the ability to provide links of existing reviews of a game (of course, with some kind of system for users to gauge usefulness to prevent spamming and such)? Or will it be strictly VNDb user reviews only?

Reply

You must be logged in to reply to this thread.