mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] dw_dev2020-04-25 01:50 pm
  • Add Memory
  • Share This Entry
Entry tags:

Updates on the security changes (how to keep your client working!)

Hi all,

I've got a few updates from the recent post on security changes. First, thanks everybody for the thoughts! Loved it. :)

So the main changes:

  • After consultation with some actual experts in the security space, I've added a pepper phase to the authentication storage. The TL;DR here is that we will be symmetrically encrypting the hashes before we store them in the database.

    The reason to do this is that it means a database breach (if one were to occur) would not provide the attacker with any useful data. In order to even get the hashes to start attacking them, the attacker would have to mount a second successful attack in order to exfiltrate the encryption key (which is not stored in the database at all).

    While in practice, the bcrypt hashes are probably all anybody really needs, it's very low cost for us to add this additional measure to the system. For the technically curious, we are using AES-256 encryption on our web servers and we have the ability to rotate keys over time, should we choose to do so.

  • Secondly, we have implemented [personal profile] pinterface and [profile] momijizukamorki's idea to use API keys as 'app passwords' to enable clients to continue to authenticate against Dreamwidth. This means Semagic and other clients can continue to work, but you will need to reconfigure them. See below!

Those are the main changes. Otherwise, tomorrow's code push will deploy the underpinnings of our new authentication storage and bring us into the modern age. At least when it comes to authentication storage. :)

Supporting Semagic (AFTER password changes are deployed)

Ok, so to use Semagic (and other clients), you will need to:

  1. Navigate to the Mobile Post Settings page.
  2. Click the Generate New API Key button in the Manage API Keys section.
  3. Copy the API key that was generated.
  4. Change your Semagic password to the API key you copied.
  5. That's it, have fun!

If you have any trouble with this, please let us know.

Flat | Top-Level Comments Only
runpunkrun: spires of atlantis with a christmas tree and two ice skaters on the pier, text: it's christmastime in the city (Default)

[personal profile] runpunkrun 2020-04-25 09:07 pm (UTC)(link)
Thank you so much for doing this for us! I'm excited to try it out tomorrow.
falena: illustration of a blue and grey moth against a white background (Default)

[personal profile] falena 2020-04-25 10:14 pm (UTC)(link)
I don't use Semagic but I'm thrilled to see you found a way to make it work for the people who do. This is the reason why I am so happy to be one of your paying customers and why I treasure this website so much. Thank you.
erika: text: moderation is like a foreign language. you have to learn that shit when you're young. (words: moderation)

[personal profile] erika 2020-04-26 01:53 am (UTC)(link)
Thank you so much! I can barely write in anything but Semagic anymore, hilariously, so I'm really, really grateful for this.
gatheringrivers: (Break out the champagne)

[personal profile] gatheringrivers 2020-04-26 03:20 pm (UTC)(link)
Yay for better security!
silvan_lady: (Default)

[personal profile] silvan_lady 2020-04-26 08:44 pm (UTC)(link)
Thank you for finding a workaround as I use Semagic all the time for several accounts. I really appreciate that you've thought of that and already posted a fix!

However, after pasting the API key into Semagic and signing in via Semagic, I get a warning telling me that my password isn't secure and that I should change it.

Am I correct to assume I just have to ignore that and click past it each time?

Also on the topic of Semagic, I have one journal where Semagic will pull out previous entries with no problem and another where I always get the response Server Reply is broken and cannot be processed. If I click on Show Server Reply a window of code opens. If anyone knows how to fix that, I'd be even more delighted!
mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)

[staff profile] mark 2020-04-26 08:55 pm (UTC)(link)
The "isn't secure" was a bug and is fixed now. Is it still happening (as of 30 seconds ago)?

I don't know about the other one. Does the server reply contain any private information, or could you share it?
silvan_lady: (Default)

[personal profile] silvan_lady 2020-04-26 09:11 pm (UTC)(link)
Bug has gone - thanks! That's what I love about DW.

Regarding the Server Reply issue, if both accounts had been broken I would just have assumed it was 'one of those things' but my other journal works fine.

Here's an example of a server reply I get after clicking the link in the error message dialogue box:-

events_1_allowmask 1 events_1_anum 189 events_1_event Is+%27unprecedented%27+the+most+over-used+word+of+the+year+so+far%3F%0D%0A%0D%0AI+can+think+of+several+alternatives+without+even+trying%21 events_1_eventtime 2020-04-16 23:40:00 events_1_itemid 6668 events_1_logtime 2020-04-16 22:40:56 events_1_security usemask events_1_subject Words... events_1_url https://silvan-lady.dreamwidth.org/1707197.html events_count 1 prop_1_itemid 6668 prop_1_name commentalter prop_1_value 1587380253 prop_2_itemid 6668 prop_2_name current_location prop_2_value on my wayto bed prop_3_itemid 6668 prop_3_name current_mood prop_3_value irritated prop_4_itemid 6668 prop_4_name current_moodid prop_4_value 112 prop_5_itemid 6668 prop_5_name interface prop_5_value flat prop_6_itemid 6668 prop_6_name picture_keyword prop_6_value Writing old prop_7_itemid 6668 prop_7_name picture_mapid prop_7_value 831 prop_8_itemid 6668 prop_8_name taglist prop_8_value english language, covid19 prop_9_itemid 6668 prop_9_name xpostdetail prop_9_value

Interestingly, when I first tried to reply, it was rejected as having text not valid in UTF-8 coding. There were two small squares at the end of the server reply which didn't show up in the code window, but did show once pasted here. I deleted them. (edited to fix typos)
Edited 2020-04-26 21:13 (UTC)
quirrc: dfghdf dfg hdfgh dfgdfg (Default)

[personal profile] quirrc 2020-05-11 02:16 pm (UTC)(link)
You see, prop 9 with name "xpostdetail", its value is truncated, that is, when script on server side generates the reply, it gives error when the value of xpostdetail is generated. Report it to support so they will know what to look for.
silvan_lady: (Default)

[personal profile] silvan_lady 2020-05-11 02:18 pm (UTC)(link)
Thank you, I will do that!
quirrc: dfghdf dfg hdfgh dfgdfg (Default)

[personal profile] quirrc 2020-05-12 05:53 pm (UTC)(link)
I have a reply from another user, she figured herself that it related to crosspoting, unchecked the setting in Dreamwidth to "crosspost to Live Journal by default" and it fixed it. So cross-post via Semagic function (until it is fixed at DW).
silvan_lady: (Default)

[personal profile] silvan_lady 2020-05-12 08:42 pm (UTC)(link)
Thank you, I have updated my support request with that information, and I have confirmed that it is indeed the cause of the problem.

I have left the request open in the hope that the problem will be fixed.
matrixmann: Engineer und tools at your service (Somebody called me?)

[personal profile] matrixmann 2020-04-27 11:39 am (UTC)(link)
Hm... Went through the big article on security changes and I think this might explain why Ljarchive as of today only returns the response "Sync error - invalid password" when using it for Dreamwidth (which previously worked fine).

If anyone should have an idea how to make this useable again, please make it public. (I don't know how many are out there which still use that program.)
Edited 2020-04-27 11:40 (UTC)
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2020-04-28 01:48 am (UTC)(link)
Have you followed the steps in the post to generate an API key and use that instead of your password?
matrixmann: Engineer und tools at your service (Somebody called me?)

[personal profile] matrixmann 2020-04-28 08:09 am (UTC)(link)
Ah, I notice I hadn't seen that the API key is something you generate on DW, not in Ljarchive's environment!
Generated one for my account and inserted it as a password - now that makes the program useable again.

Thanks for the hint!
Edited 2020-04-28 08:10 (UTC)
11221975: (Default)

[personal profile] 11221975 2020-04-27 12:52 pm (UTC)(link)
Thank you for this. However, for LJ Account Juggler, it still doesn't work. You have to log each account in, and there's nothing to add the API key to. How do I get that to work now? Would I have to change the PW for every single one of my DW accounts to the API Key to make it work?
Edited 2020-04-27 12:54 (UTC)
paranoidangel: PA (Default)

[personal profile] paranoidangel 2020-04-27 02:41 pm (UTC)(link)
I got it to work in LJ Juggler. I followed the instructions to get an API key. Then I deleted my login from LJ Juggler, added a new account, put my username in and used the API key as my password.
11221975: (Default)

[personal profile] 11221975 2020-04-27 03:34 pm (UTC)(link)

Thank you, I'll try that.

lovingboth: (Default)

[personal profile] lovingboth 2020-04-27 01:48 pm (UTC)(link)
The change did break Drivel's login.

Getting an API key and using it as the password unbroke it :)

Thank you!
0mkara: (Default)

Semagic

[personal profile] 0mkara 2020-04-27 06:48 pm (UTC)(link)
I get the part about generating a new API Key and using it as a Semagic pw, but I have not been able to make Semagic work at DW for a very long time. Are there instructions for checking the other correct Semagic boxes as well as putting in the correct URL and security port number?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: Semagic

[staff profile] denise 2020-04-28 02:26 am (UTC)(link)
Here is what we were told in the past will work: these settings. (You'll now also need to use the API key as a password, not your DW password, but that tweet has the settings that people reported to us will work.)
0mkara: (Art by J. Livia)

Re: Semagic

[personal profile] 0mkara 2020-04-28 05:06 am (UTC)(link)
Hi. Thank you. I tried that, but like for the last two people on that Twitter thread, it did not work for me. It said an error occurred in the secure channel support and that it could not contact server. Thanks though.
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

Re: Semagic

[staff profile] denise 2020-04-29 05:44 pm (UTC)(link)
I'm not sure what the answer is, then! (We don't make Semagic, so we're basically limited to repeating what other people have figured out.) Maybe try asking your friends if any of them use it? Or hopefully someone will read this and have the answer.
quirrc: dfghdf dfg hdfgh dfgdfg (Default)

Re: Semagic

[personal profile] quirrc 2020-05-11 02:13 pm (UTC)(link)
Do you have windows XP? I have such error on XP and it is related to SSL incompatibility with XP. With LJ it works because it does not use SSL in the protocol endpoint.
0mkara: (Default)

Re: Semagic

[personal profile] 0mkara 2020-05-13 05:08 am (UTC)(link)
Yes, unfortunately, XP is all I have left to use.
quirrc: dfghdf dfg hdfgh dfgdfg (Default)

Re: Semagic

[personal profile] quirrc 2020-05-26 05:24 pm (UTC)(link)
At that time, I did not study this topic, and now I found that it is possible to install TLS 1.2 update for XP. For me, it enabled some sites in some programs and some do not work anyway, but that can be due to my network configuration. You can see this link: https://www.smartftp.com/ru-ru/support/kb/2754
0mkara: (Default)

Re: Semagic

[personal profile] 0mkara 2020-05-27 02:26 pm (UTC)(link)
Thank you very much. I will take a look at this. :)
fuiseog: (Fiona)

Re: Semagic

[personal profile] fuiseog 2020-07-16 05:47 pm (UTC)(link)
Hi quirrc,

I downloaded and installed the updates to my XP, restarted and filled in Semagic as indicated, but it still will not contact the server. Thanks though. :)
anysia: (Kittypix)

[personal profile] anysia 2020-05-19 12:30 am (UTC)(link)
Thanks for the info. I really didn't want to use OpenLiveWriter for my weblog. It works, but I prefer Semagic interface.
0mkara: (Bite someone for no apparent reason...)

...

[personal profile] 0mkara 2020-05-27 02:30 pm (UTC)(link)
Off topic, but such pretty cats on your userpic. :)
katekintail: (Default)

[personal profile] katekintail 2020-08-06 08:17 pm (UTC)(link)
Thank you! I thought I was going crazy not being able to get Semagic to work, but now I know why it kept telling me my password was invalid. Thank you so much for this fix!
anysia: (Moping)

[personal profile] anysia 2020-08-07 02:54 am (UTC)(link)
Chiming in a bit late here again, but I booted into my Windows 7 boot drive, and launched Semagic. I Changed password to the generated API key I had made for Semagic on my Windows 10 boot drive. It was wrong. How long is a temporary IP ban with Semagic? *sigh*
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2020-08-07 07:49 pm (UTC)(link)

Only a few minutes for the first error (it gets longer over time). 

vesper_evensong: (Default)

[personal profile] vesper_evensong 2022-04-19 10:23 pm (UTC)(link)
How long do I need to wait when Semagic says I tried to login too many times?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2022-04-19 10:39 pm (UTC)(link)
The wrong password backoff is incremental, so it depends on how many times you've gotten the wrong-password error. If you only got it once, wait ten minutes and try again. If you got it more than that, it will depend, but the longest backoff period is 24 hours, I believe.
vesper_evensong: (Default)

[personal profile] vesper_evensong 2022-04-20 12:45 am (UTC)(link)
That was super helpful as a response, and much faster than I thought! Thank you very much. I was just trying to set up Semagic to post to both LJ and DW and had some trial and error. It's now resolved and figured out. Your response was awesome!
adelate: (Lion)

[personal profile] adelate 2023-08-06 08:33 pm (UTC)(link)
I'm here over a year later, but... is Semagic still meant to work? I used it years and years ago and still have it installed, but even after doing this API Key step I keep getting a server error (400) when I try to log in. Is there a place where I could check if my settings are correct?
denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)

[staff profile] denise 2023-08-07 08:54 pm (UTC)(link)
I have a very vague memory that the error 400 either means that you need to make sure you have the setting for SSL/secure login turned on or that you need to update to the most recent version of Semagic, but I can't remember which of the two common errors goes with which of the two problems, heh.
adelate: (Aziraphale - :))

[personal profile] adelate 2023-08-08 05:23 am (UTC)(link)
Thank you so much! I'll try these once I'm on my own computer again.
adelate: Min Yoongi with his eyes closed on an orangey yellow background about to take a sip out of a yellow Teema coffee mug (Default)

[personal profile] adelate 2023-08-09 02:56 pm (UTC)(link)
Updating Semagic seems to have done the trick, thank you so much for your help! Honestly it's something I should've thought of myself, but I'm grateful regardless!
Flat | Top-Level Comments Only