[pmwiki-users] One time passwords, anyone?

Petko Yotov 5ko at 5ko.fr
Fri Aug 21 10:27:10 CDT 2015

On 2015-08-21 11:51, Oliver Betz wrote:
> does anybody use one time passwords with PmWiki?

I don't.

> To access private pages from foreign (untrusted) machines or networks,
> it would be a nice option.
> But I'm afraid that it is not simple to implement, correct?


> With time based OTP like Google authenticator, one needs to keep track
> of used passwords to avoid replay attacks. Counter based OTP need to
> store the new counter value.
> With challenge/response systems, you need a suitable password
> generator on your mobile device.

Actually this can be easier/simpler: the wiki generates a one-time 
password, stores in a server session file, and sends it via e-mail or 
SMS to the user. The user has not left the wiki page (to keep the 
session id), checks her e-mail or SMS and types the one-time password.

> And: Since PmWiki uses PHP sessions for authentication, is it
> vulnerable to session hijacking?

Yes, like any other software using session cookies (eg.: all of them). 
If your wiki is accessible over HTTP and not https/ssl, anyone between 
you and your wiki might possibly read anything that is sent in both 
directions. This includes your home router, the switches and routers of 
your local ISP, the switches and routers of your hosting provider and 
the server where your wiki is.

In reality, it is not likely that someone at your home ISP would try to 
steal session ids or passwords, but the risk should be estimated by you.

However, if you connect via a public open wifi hotspot, it is possible 
that someone can read the data packets you send via radio waves, and 
discover your passwords or session ids.

If a wifi hotspot is encrypted and you have to enter a WPA password like 
at a café/restaurant/friend, then the link to the hotspot is protected 
but if you connect to any website over HTTP not HTTPS, then the owner of 
the hotspot/router can potentially store and read all data sent.

Even if you use TOR, anyone between the last TOR exit node and your HTTP 
wiki can read the data -- and seeing your website, name, e-mail address, 
can know exactly who you are.

If you connect via HTTPS, in theory only your browser and the server of 
your hosting provider, where the wiki is, can know the data sent and 
received[*]. That's why there are campaigns "HTTPS everywhere" and 
"Let's Encrypt". I can only hope that when "Let's Encrypt" becomes 
available, shared hosting providers will enable it for all their clients 
at no cost, as these certificates are free of charge. (They would still 
require a dedicated IP address but this can be IPv6, also free.)

Note that some hosting providers offer a "shared" ssl server to access 
to your site, with a different address like 
https://ssl2.ovh.net/~username/ (the European OVH provider) or 
https://secure27.prositehosting.co.uk/username/ (FastHosts UK). This can 
be free of charge or only enabled for some hosting plans. If you have 
sensitive data, but cannot afford an SSL certificate with a dedicated IP 
address, it is always better to use the secure server than your own 
domain name.

Now, if one has to write a module sending a one-time-password via 
e-mail, once again, your e-mail client should connect to the e-mail 
server via an encrypted connection (ssl/tls). Most e-mail providers 
allow such connections. If the connection to the e-mail servers is not 
encrypted, it is exactly like the HTTP connection, can be read by anyone 
on the network.

About the SMS, if the wiki sends the one time password, on some phones 
the message is shown even if the screen is locked. Again, this may be 
not sufficiently secure. Also, it is not always possible to send an SMS 
to a phone via the web: some phone companies allow it with an 
email-to-sms gateway or via a special API. Generally, to avoid spam, 
this is either password-protected and must be enabled by the phone 
owner, or it costs something like 0.12 EUR incl. VAT per message.


[*] Some companies have their IT departments install bogus SSL 
certificates on every computer, laptop or smartphone, so that they can 
log and store all data send by their employees or users. This is worse 
than everything because the browser is tricked to connect to a website 
by an incorrect certificate, and the data is decrypted by a device or a 
program on the routers of the company, stored, then re-encrypted and 
send to the server and back to the user. This is used in some schools to 
check if pupils connect to illegal or pornographic websites, and to read 
their Facebook posts. In some places they even require you to install 
the company's SSL certificate on your own laptop/smartphone. :-( Brave 
new world.

Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades

If this message helped you and saved you time, feel free to make
a small contribution: ♥ http://5ko.fr/donate-ml (mailing list).

More information about the pmwiki-users mailing list