Https On The Backstage Area

I do not want to bring any infected discussions up again, but when I read this thread I definitly think that it is time to put HTTPS on the backstage area?

It’s very easy to sniff passwords from unsecured sites, especially if you sit on the same subnet as the user that is logging in and the switch is broadcasting due to overheating, or if you are a bit more advanced you can do some arp poisoning on an remote server in a complete different subnet. The password in an unsecured html post is just base64-encoded so it is almost as easy to read it as to read plain text.

Well, login on and downloading all download content on backstage (including the beta) is being logged. As well as ip-origins.
If the log-files show an extraordinary amount of downloads from the same account, this will already be suspicious, but if there are multiple ip origins it is enough to close the account for that.
For as far as we know this never happened.

All leaks were either done on purpose (usually this situation has been denied) or due to carelessness: Adding the file in sharing folders of the computer (wether p2p apps or just shared network mappings in windows). Or leaving the computer unattended so someone could copy or forward or post the file to some place from it.

Sniffing specifically for passwords or usernames on the same subnets rarely occur (or we are dealing with a company-spy that performs these acts). Doing all these kind of things remotely, are usually done with spyware and trojans which are much more effective.

Still it is much easier to use a trojan to scan harddrive(s) contents than searching the harddrive for passwords and login data.

There has been an idea pushed in the mailinglist to password protect the archive using the backstage password of the user so that if copied, it can’t be extracted just like that.
Or instead of using the user-password, generating an exotic one and post it on screen.

Deliberate leaking will then also be more detectable if discovered on a very short notice.

The thing with for example ARP poisoning (also called ARP spoofing) is that you “borrow” someones IP by placing yourself in the middle. So if I first sniff your password and then login using this technique I will both get your password and the same IP as you when I log in and download from the backstage area.

And because it hasn’t happen already it doesn’t mean that it will happen. Renoise is growing and as more popular it gets it will probably be more and more possible that hacker- and cracker-groups will try to get hold of a copy of it in more and more advanced ways. They will probably not wait till they find someone on a p2p-network that is sharing his whole harddrive ;)

Sniffing passwords isn’t as rare as you think it is. And no, it is not usually done by spyware and trojans. You just have to have some average knowledge in networking to preform such things and as long as the connection is unsecured the hacker just have to hook up on a router between you and the users that are logging in and then the damage is done…

Sure, as I said, it (maybe) hasn’t happen yet, but that is not a guarantee that it wont happen sooner or later. Better to be safe than sorry.

I hope you’re not being too strict about it, tho. I’ve downloaded from different computers a few times.
I use Renoise on two computers and both are connected to internet.

Actually, HTTPS is on my ToDo list. Although i plan to use a slef signed certificate for the beginning.

this has been on my mind since i read about the leak.

i noticed some of the older versions of renoise that were on p2p nets had user names on them, so what is to stop someone from stealing a credit card, going to a net cafe or using a proxy, buying a registration an then sharing it?
i guess its futile to worry about such things since no matter what technology is in place there will be or are ways to evade it.

maybe more incentives for only ‘registered users’ could be in order?

I think that the fair price & community coupled with an un-crippled unregistered version for those who can’t pay is more than enough incentive to register. Renoise is worth supporting, rooted and supported by “the scene”, and Renoise supports back. Precautions should be taken, obviously, but why tackle problems before they occur?

In terms of use userbase, my bet is there’s a much better ratio of registered Renoise users than there are of any other sound apps, where people tend to use but don’t pay.

Why change what isn’t broken?

Eh… I guess your kidding. I guess we shall not tackle a nuclear war before it occurs either then… Do you use to keep your saved money in an unlocked case on your backyard aswell? Else it a good tips, because as long as it works its not a problem…

It will not cost much to put security on the backstage area, but it can cost several unlucky users their Renoise licences if thir accounts get on the run because of bad security, so what is the deal here??? Ignorance is sometimes a bliss, but I guess you wont laugh if the day it will happen to you.

Pulsar, I guess you know that you can get free sidned certificates from this site
A bit better than a self signed certificate even if it is not included in all mainstream browsers.

Yeah, i already know that one. Although it don’t see the real advantage for novice users here. Those wont see any difference between self-signed ceritificates and certivicates signed by Powerusers might have already imported the root-certs of cacert and will have no problem with our ceritficates neither. I dont know, but if i would not know cacert org and a accept-certificate request pops up on my screen i would rather think twice before accepting a certificate signed by a company i dont know instead of a certificate signed by the page i want log in into.

i still need to setup mod_jk and apache certs though. Some users wont be able to acces 8443 because of restrictive proxy / firewall settings.


It depends, and i really doubt if raising safety measures at the gate will resolve the problems, they will for sure eat more time and investment.
Usually those techniques will make the price go higher.
And why should any user like to shell out another 20 to 30 euro’s extra just because of the safety measures taken for protecting development while the original 49 euros is only to say “thanks for the hard work here’s my share of the deal”?
You get this dongle discussion again all over the place… a piece of electronics that can break down and cause grey hairs when not supported anymore.

Yes, you are right, good point! didn’t think about that :wink:

ok, looks good so far:

i would appreciate if some of you could give it a try and report glitches (if there are any except the self signed certificate). If there arent any i will switch the backstage area behaviour to ssl and inform the visitors on the login screen about the changes.


Neat, works fine here, WinXP Firefox 1.5.07.

Yeah, same here but on Win2000.

I tried a different user name and password than mine. It didn’t work.

well, it should not. I hope this was a positive feedback, or did you discoverd an actual problem here?

Anyway, i have already modified the login mechanism for the backstage area, now you can choose to use ssl before you log in.

pulsar, I didn’t actually try. :) Just messing with Bantai’s sense of security. ;)

Hcys? Who is that? :P

lol :D