4.5: Security Enhancements

[[R] NuclearGeneral]

Although we continuously review security within Invision Community, a major release such as 4.5 allows us to be especially proactive when it comes to keeping your community safe. This blog entry outlines several enhancements to improve security in Invision Community 4.5. Password Handling Keeping your member's passwords secure is the simplest way to keep accounts safe and out of the wrong hands, so it makes sense to look at ways to ensure this doesn't happen. Invision Community already uses strong one-way hashing when storing passwords, which means that once the password is stored in the database, there is no way to know the plain text version. However, when creating a new member account via the AdminCP, a random password was created, and this was sent in the welcome email to the new member's email address. As of Invision Community 4.5, this no longer happens, and the new member is invited to create a new password when visiting the community for the first time. Part of your internal security procedures might be to force a reset of all passwords periodically. Invision Community 4.5 allows this on a per-member basis, or via a selection of filters to enforce a reset for many members at once. This clears out any stored password hashes and emails the affected members to remind them to set up a new password. AdminCP Security The Admin Control Panel contains the most powerful tools available to Invision Community. This is already a very secure area with a separate login with an option to add two-factor authentication to the login flow. Part of the session authentication has been a special key in the URL. While we have protection in place to prevent this special key being discoverable by a malicious user, there remains an incredibly remote theoretical chance that this could happen with a series of complicated steps. There was an additional annoyance that you are unable to share links within the AdminCP to members of your team due to the increased protection to keep URLs safe. As of Invision Community 4.5, we have removed the special key from the URL and moved it elsewhere in the session authentication flow. This means that it's impossible to fetch the special key via the URL and links can now be shared and will survive a login action. Text Encryption There are a few areas within Invision Community that we use text encryption to allow us to save data in the database in a format that is encrypted when saved and decrypted when read. This protects you in the incredibly remote event of your own hosting being compromised and your database downloaded (of course, our Community in the Cloud customers do not need to worry about this!) Invision Community 4.5 improves on this encryption by using PHP's built-in methods which give "bank-level" security to our encryption. Security is critical to the success of your community, and we are always proactive in improving security throughout Invision Community. Do you have any comments on this entry? Let us know below!

 

View the full article at IPS