@thomaszbz opened this Issue on June 26th 2015

I read more and more insecure recommendations in documentation.

I guess the whole documentation needs to be assessed in terms of security.

In respect to software deployment, there's few basic rules that seem important to me:

  • Any Software Downloads need to be integrity and origin checked
  • Any web server uploads need to be integrity and target checked
  • As many files as possible need to be read-only to webserver user (e. g. www-data)
  • Any vHost needs to be seperated (one vHost script may not read Files of another vHost).
  • Any database needs to be password secured (with no insecure ports open)
  • [...]

On Piwik documentation, it already starts insecure: http://piwik.org/docs/installation/#getting-started

Before you get started, ensure that you have the following: [...]
    - Access to your web server (via shell or FTP)
    - A FTP Client (if you are installing Piwik on a remote server)

I would like to read something about SSH here. Even FTPS has limitations (potentially just encrypting credentials). And there's a difference to SFTP/SCP.

Download the latest release Piwik from http://builds.piwik.org/piwik.zip

Yes, MITM brings his virus in and we install it on our webservers. With https, this would be ways more secure. Users would not even notice it. HTTPS-Version https://builds.piwik.org/piwik.zip is already available, so why not use it? Just add an "s"...

Open your FTP client [...]
If you have SSH access to your server, you can use it instead of FTP as it is much faster

Not just faster, also ways more secure! But wait, why not download piwik directly from the webserver via shell using a secured https connection? This could also be worked around with a tiny PHP script downloading and extracting the installation files if users don't have shell access (still not the best option as it has similar limitations as before).

When Piwik is uploaded you can move on to the next step!

Did we miss the integrity check? Where's the SHA-x/MD5-Hashsum I should check? Where can I get hashsums safely? Keep in mind MITM can also compromise MD5-hashsums when he can compromise a download. If the download link is http, then at least the hashsum should be https.

How is made sure, that most of the files are read-only in the context of the web server (www-data), if users want to update without the web frontend's automatic update. This looks ways too dangerous to me, anyways. Sure, people love it...

If you do not have the database information, you may need to ask your web host or technical staff.

In many cases this is right. I'm just missing the information that empty passwords can be painful here.

Also consider #7519. You need a security guideline for documentation!

I'm sure we'd see great improvements in the code after that is done! (e.g. https-piwik-api instead of http-piwik-api in default config).

Don't get me wrong. The current documentation is always the easiest way for users, which is good in some way. But I guess most of them don't know what they do when following these recommendations. They should be warned at least if they do insecure stuff.

Now I'm also wondering how you work internally. Do you upload builds via FTP to the piwik web space?

Plus, security related documentation should be https-only. MITM could easily downgrade security level of documentation otherwise (at least if users expect valid https).

Always keep in mind that attackers will use every possibility as soon as they figure out how. E.g. attacks like https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html

Related: #1867 dating back to 2010...

@tsteur commented on June 28th 2015 Owner

:+1:

@tohn commented on February 14th 2017

I'm also missing the integrity check (SHA-x/MD5-Hashsum), so 👍 for this issue.

Powered by GitHub Issue Mirror