5C/ Why isn’t IIW Wiki Secure?
Why Isn't IIW Wiki Secure?
Convener: Omar Shafie
Notes-taker(s): Omar Shafie
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Because no one showed up, I did not have anyone to discuss my ideas with, but my basic ideas as I communicated to Heidi / Phil / Doc before the event via “Contact the Organizers” were the following:
(1) Use Let’s Encrypt (https://letsencrypt.org/) to provide free, automated, server-side TLS certificates
(2) And/or use Cloudflare (https://www.cloudflare.com/ - protects one domain for free), which could also help with load sharing / distribution
(3) Review password implementation to make sure passwords are uniquely salted and adaptively hashed with appropriate work factors (PBKDF2, bcrypt, etc.)
(4) Review software (OS, web server, database software, application software) used to make sure it’s up-to-date to guard against well-known security vulnerabilities
During my summary comments at the end of the day, I think Phil and Kaliya suggested that IIW could consider moving the Wiki platform to a place that already provides some of the basic security features.