Différences entre versions de « Security »

De Mi caja de notas

(Page créée avec « {{stub}} Une page voulue pour nourrir iwc:security-fr. == indieweb == {{iwc}} »)
 
m (first draft translation to be continued)
Ligne 4 : Ligne 4 :
 
Une page voulue pour nourrir [[iwc:security-fr]].
 
Une page voulue pour nourrir [[iwc:security-fr]].
  
== indieweb ==
 
  
{{iwc}}
+
<span style="float:right;height:128px;font-size:128px;margin:72px 0 -64px">🔒</span>
 +
{{stub}}
 +
 
 +
La '''<dfn>securité</dfn>'''dans le contexte de l'indieweb peut se référer à des préoccupations de sécurité concernant les [[personal-domain-fr|domaine personnel]] s, l'[[hébergement web]], la configuration [[https]], les données privées, l'identité etc. Presque tout sur Internet, y compris le web, et donc l'indieweb, a des problèmes de sécurité.
 +
 
 +
 
 +
== Pourquoi ==
 +
Vous devriez faire en sorte que votre site personnel soit plus sûr afin que vous et d'autres puissent lui faire encore plus confiance.
 +
 
 +
== Comment faire ==
 +
Voir :
 +
* [[iwc:CSP]]
 +
* [[iwc:HTTPS]]
 +
* [[iwc:sandbox]]
 +
 
 +
== Visibilité ==
 +
__TOC__
 +
Services that require logins or act as [[authorization-endpoint|authorization servers]] should provide a way for users to see an audit trail of events relating to their account. For example:
 +
 
 +
=== Historique de Sécurité GitHub ===
 +
[[GitHub]] provides a [https://github.com/settings/security page listing accesses to your account] with details such as from what device, OS, location, date of access:
 +
 
 +
[[File:github-security-history-example.png|400px]]
 +
 
 +
=== Activité Récente de Google ===
 +
[[Google]] provides a [https://www.google.com/settings/security security recent activity log] with date, browser, OS used to access your account and other information:
 +
 
 +
[[File:google-security-history-example.png|400px]]
 +
 
 +
== Breaches ==
 +
Security breaches as reported by sites
 +
 
 +
=== 2014 ===
 +
* 2014-04 [[Heartbleed]]
 +
* 2014-02-15 [[Kickstarter]] https://www.kickstarter.com/blog/important-kickstarter-security-notice
 +
* ...
 +
 
 +
== Problèmes reproductibles ==
 +
 
 +
=== https http botches ===
 +
Today, when standards like [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS]
 +
try to mitigate [[https]] to http degradation [https://en.wikipedia.org/w/index.php?title=Moxie_Marlinspike&redirect=no#Notable_research attacks], there's no reason to allow http at all. All http should redirect to https.
 +
Examples of "willful degradation" in indie web related software and services:
 +
* Webmentions to [[Known]] only work if you mention the http URL. This may encourage using unsafe links to [[Known]] (that shouldn't exist in the first place).
 +
* [[webmention.io]] regards http and https as different URLs. Perhaps this is not a bug, because in a perfect world there ''wouldn't'' be any https.
 +
 
 +
== Hébergement Web==
 +
Should you write about your [[web hosting]] setup?
 +
 
 +
In some regards yes, to help out other members of the community.
 +
 
 +
However from a security perspective, disclosing what web host you use, software, VPS, or how you implement your server configuration are potential security issues because every piece of information you give a potential attacker about your setup helps narrow the space of weaknesses to explore.
 +
 
 +
So, how do you share information without endangering yourself in that regard?
 +
 
 +
You decide you're not a worthy target, or you decide you'd rather share publicly in the hopes that friends will warn you about any flaws before an attacker exploits them.
 +
 
 +
== Dealing with unknown problems ==
 +
Per https://en.wikipedia.org/wiki/Secure_by_design :
 +
* Peer review existing protocols and [https://dubiousdod.org/indie/2014/11/i-always-think-of-this-classic-http-homakov-blogspot implementations].
 +
* Look for docs, advice, potential peer-reviewers at communities like [https://mailman.stanford.edu/mailman/listinfo/liberationtech MIT's Liberationtech mailing list] (''any other ideas?'').
 +
* Think in advance about security implications of features like private messages.
 +
* Always prefer existing and ''popular'' (i.e. constantly peer reviewed) technology to reinventing crypto.
 +
* Eventually - prepare guidelines for site owners and developers on the Wiki (similar to [https://ssd.eff.org/en/module/keeping-your-data-safe Eff's SSD]).
 +
 
 +
== Voir aussi ==
 +
* [[iwc:CSP]]
 +
* [[iwc:https]]
 +
*[[iwc:WordPress_Security|Sécurité WordPress]]

Version du 29 décembre 2016 à 08:28

Cet article est une ébauche. Vous pouvez m'aider à l'améliorer et le compléter. Merci.


Une page voulue pour nourrir iwc:security-fr.


🔒 Cet article est une ébauche. Vous pouvez m'aider à l'améliorer et le compléter. Merci.

La securitédans le contexte de l'indieweb peut se référer à des préoccupations de sécurité concernant les domaine personnel s, l'hébergement web, la configuration https, les données privées, l'identité etc. Presque tout sur Internet, y compris le web, et donc l'indieweb, a des problèmes de sécurité.


Pourquoi

Vous devriez faire en sorte que votre site personnel soit plus sûr afin que vous et d'autres puissent lui faire encore plus confiance.

Comment faire

Voir :

Visibilité

Services that require logins or act as authorization servers should provide a way for users to see an audit trail of events relating to their account. For example:

Historique de Sécurité GitHub

GitHub provides a page listing accesses to your account with details such as from what device, OS, location, date of access:

400px

Activité Récente de Google

Google provides a security recent activity log with date, browser, OS used to access your account and other information:

400px

Breaches

Security breaches as reported by sites

2014

Problèmes reproductibles

https http botches

Today, when standards like HSTS try to mitigate https to http degradation attacks, there's no reason to allow http at all. All http should redirect to https. Examples of "willful degradation" in indie web related software and services:

  • Webmentions to Known only work if you mention the http URL. This may encourage using unsafe links to Known (that shouldn't exist in the first place).
  • webmention.io regards http and https as different URLs. Perhaps this is not a bug, because in a perfect world there wouldn't be any https.

Hébergement Web

Should you write about your web hosting setup?

In some regards yes, to help out other members of the community.

However from a security perspective, disclosing what web host you use, software, VPS, or how you implement your server configuration are potential security issues because every piece of information you give a potential attacker about your setup helps narrow the space of weaknesses to explore.

So, how do you share information without endangering yourself in that regard?

You decide you're not a worthy target, or you decide you'd rather share publicly in the hopes that friends will warn you about any flaws before an attacker exploits them.

Dealing with unknown problems

Per https://en.wikipedia.org/wiki/Secure_by_design :

  • Peer review existing protocols and implementations.
  • Look for docs, advice, potential peer-reviewers at communities like MIT's Liberationtech mailing list (any other ideas?).
  • Think in advance about security implications of features like private messages.
  • Always prefer existing and popular (i.e. constantly peer reviewed) technology to reinventing crypto.
  • Eventually - prepare guidelines for site owners and developers on the Wiki (similar to Eff's SSD).

Voir aussi