From the beginning, the CPPS community comes up against those who wish to compromise user security. CPPSes constantly face SQL injection attempts, moderator account compromise attempts, and more. With many database leaks over the past year, most recently from CPPS.ml, the time has come for actual vetting of CPPS security procedures. I hope to, by interviewing CPPS owners, administrators, and developers about the security methods that they use on their servers, provide you all with an accurate picture of how safe you are playing different CPPSes. Please use these posts as expert guidance on which CPPSes prioritize you, the user (and your safety), over adding new features. While I cannot ensure the accuracy of content beyond what CPPS representatives have told me in response to interview questions nor predict future database leaks, I can and will point out blatantly insecure practices.
The first CPPS interviewed for security checks is CPPS.io. I asked Shaun, a developer on CPPS.io, questions on the following topics:
- Data storage (i.e. passwords, IPs)
- Database security (i.e. IP restrictions, VPN required)
- Website security (i.e. SQL injection protection)
- Server security (i.e. SSH keys)
- Operational security (i.e. Two-Factor Authentication)
You can find the full text of the interview at the bottom of this post. I will interpret what Shaun said to make it easier for you to get an expert opinion of a former CPPS administrator, current Aureus administrator, and someone who has reported vulnerabilities to Fortune 500s before.
Summary: I cannot recommend playing CPPS.io due to its lack of Two-Factor Authentication for staff, and, more importantly, its use of MD5 for passwords. They plan to move to SHA1, an algorithm that is also insecure, in the near future. I trust that its owners believe they are following recommended practices; however, this is sadly not the case. CPPS.io should change to a secure algorithm like bcrypt and enforce Two-Factor Authentication for all staff game logins. Note that CPPS.io is not unique in these security oversights– far from it, unfortunately. Many CPPS sources publicly available still use MD5, such as a few currently found on Aureus.
Explanation: CPPS.io utilizes MD5 hashing for passwords, and stores user IP addresses. Moderators can view user IP addresses. They cannot view user emails.
Analysis: NIST, the National Institute of Standards and Technology (a U.S. government organization), does not recognize nor recommend MD5 for usage with passwords. Additionally, many online databases of unsalted MD5 passwords exist today, allowing very easy access to a user with no computing-intensive resources and little computer knowledge to crack any MD5-hashed passwords. As such, I highly recommend against using MD5 for passwords, as, in my opinion, MD5 offers negligible security over plaintext passwords in 2017.
Summary: Your password is not stored securely on CPPS.io.
Explanation: CPPS.io wants to move to SHA1 for user passwords.
Analysis: SHA1, like MD5, is not recommended for usage with passwords. It is, in fact, deprecated for usage in browser encryption, and this depreciation has been rolling out over the past few years. Google and Mozilla have strongly pushed against SHA1 due to its ever-increasing weakness, with great success.
Summary: Your password will not be stored securely on CPPS.io, if they move forward with using SHA1.
Note: CPPS.io has reached out to us post-interview and stated that they have scrapped the idea of using SHA1. They now plan on using bcrypt, an industry standard, and robust encryption algorithm.
Explanation: CPPS.io uses an SSH tunnel to access their database. It can only be accessed through this SSH tunnel. Additionally, they have IP checks to only allow certain IPs access to their database server.
Analysis: This is state-of-the-art practice, with IP restrictions enforcing location, and SSH tunneling requirements enforcing authentication. I wouldn’t expect anything better, nor would I think it necessary. Of course, this does not mitigate the necessity for strong password encryption, as SQL injections are still a thing. I did not check for outdated and/or vulnerable software on CPPS.io’s database server(s).
Summary: The database itself is protected well.
Explanation: CPPS.io uses an unknown layer 7 firewall that attempts to filter out SQL injection attempts.
Analysis: Using any form of firewall is a good method of protecting against SQL injections. They did not mention whether they used prepared statements, which is unfortunate, as prepared statements are a state-of-the-art, foolproof way of filtering out damaging injections across languages. Firewalls, on the other hand, require parameters to recognize SQL injections.
Summary: CPPS.io has a fine system of preventing injections, though prepared statements would provide stronger protection.
Explanation: CPPS.io administrators are required to use SSH keys in order to access CPPS.io servers. Additionally, they turn over these SSH keys every so often (no set time period).
Analysis: All system administrators should use SSH keys, and not passwords, to authenticate to their servers. I would like to see CPPS.io expand to provide an internal VPN for its staff members, where it could only allow for SSH connections on that private subnet.
Summary: CPPS.io has fine server security, though it would be nice to see that expand further into putting SSH on an internal subnet.
Explanation: CPPS.io has no form of Two-Factor Authentication (2FA) on the game itself. Its staff members do not need to use 2FA in order to access their moderation tools. The only area that offers 2FA is their WordPress blog. Nobody except for the two CPPS.io administrators, Squirrel and Shaun, has access to the database.
Analysis: In today’s CPPS world, 2FA is practically a necessity. It offers incredibly robust security for user accounts. At a minimum, I find it an extremely outdated practice that staff accounts are allowed to log in without 2FA. With attempts (and successes) to compromise user and staff accounts on the rise in this community (see CPPS.ml), CPPS.io should implement 2FA sooner rather than later. For more information on 2FA and its implications for CPPSes, you can read this forum topic I made about it on Aureus.
Summary: CPPS.io uses outdated opsec practices, and should make adding Two-Factor Authentication for users and staff a high priority.
That’s all for now! I hope you enjoy these new Security Checks. As a reminder, you can find a summary for CPPS.io’s security review at the top of this article.
For the raw interview text, with any parts that the server owner has requested censored marked as such, please click on this URL: https://i.succ.in/DvW.txt