Security and Privacy - Gamocosm/Gamocosm GitHub Wiki

Gamocosm is free software - both as in free beer and also as in free speech. This means Gamocosm respects users' freedom and community. I am a strong believer of free software, and since I began developing Gamocosm in 2014, I've tried to make Gamocosm a "totally legit project" - a project of principle.

We may have had plenty of bad stumbles, but Gamocosm, its development, and I are genuine. I think I've done a fair job of documenting everything I could think of that people would want to know, including things such as "how to run your own Gamocosm server" in great detail even though probably no-one has ever bothered with it. Arguably, this page should have been written long ago, but honestly it just never came to mind as I strictly avoided anything remotely "unfree". Regardless, it has come to my mind now and another important topic to be informative about.

Privacy

HTTPS

As of 2018 February 12, Gamocosm runs behind Cloudflare, a front end service used by many websites. Your connection is encrypted by HTTPS from your computer to Cloudflare's servers, and from Cloudflare to Gamocosm's servers. Prior to 2018 July 11, unfortunately the connection between Cloudflare and Gamocosm used unencrypted HTTP, as during original development and deployment, obtaining a valid SSL certificate was relatively troublesome. Now that Let's Encrypt is a thing, I have (albeit lately) added full HTTPS support. Your connection first goes to Cloudflare through encrypted HTTPS, but the connection between Cloudflare and Gamocosm is through unencrypted HTTPS.

Consequences

There is no way to spy on the contents of the data you communicate with Gamocosm while it is in transit. For example, someone spying on your (wifi) network (not unrealistic) would not be able to obtain your password. However, HTTPS doesn't protect Gamocosm servers from being hacked (there are other measures involved).

User data

Gamocosm uses the very popular Devise gem for user management (registrations, saving to the database). This is based on the principle "don't roll your own crypto" (Stack Exchange, AgileBits); a well maintained and widely scrutinized library will certainly do things better (more securely) than me.

Passwords

Devise uses the bcrypt gem (see Devise's lib/devise/encryptor.rb) to hash passwords. Note that hashing is different from encrypting, and hashing is the proper way to "store" passwords (Stack Exchange). Bcrypt is 1 of the 2 main/"proper" (read: reviewed and recommended by security experts) password hashing algorithms (the other being PBKDF2), and you can read more about it on this Stack Exchange question.

In short, hashing cannot be reversed; if someone obtains the hashed passwords, the only way they can reverse it is by brute-force checking all the possibilities. Using a good hashing algorithm (such as bcrypt) and a salt ensures it is probabilistically almost impossible (computationally infeasible - would require too many attempts) to reverse a hashed password. So Gamocosm/Devise only ever stores the hashed passwords. Encryption, where the data is intended to be reversed by a trusted party, can also be done securely, but passwords for authentication can be verified with hashing without need for decryption, so there is no need for a server to save decryptable passwords.

Other user data

Devise additionally stores:

  • email
  • password reset token
  • password reset token time
  • "remember me" time
  • sign in count
  • current sign in time
  • current sign in IP
  • last sign in time
  • last sign in IP
  • created at
  • last changed at

Gamocosm does not do anything with these outside of Devise's functionality (e.g. resetting passwords). Gamocosm additionally stores your Digital Ocean API key, which it uses to create/manage servers on your account.

Consequences

If someone got access to Gamocosm's databases, they would never be able to get your passwords (all your other services would be safe, as there is no way to reverse a hash, and each hash is unique with a random salt). They would be able to create/destroy your servers, snapshots, and other data through the Digital Ocean API (TODO why can't do anything about it). At most the Digital Ocean API lets them reset your droplet passwords, which sends an email to your Digital Ocean email, so unless they had access to that, they would not be able to access your servers. With database access, they would also know your email and other Devise data such as up to your most recent 2 IP addresses (it doesn't save your creation IP address).

  • what data is stored on servers (standard Users model from widely used Devise library)
  • last login IP
  • email
  • properly hashed passwords
  • google analytics
  • no other tracking on Gamocosm's end
  • no ads

Security

  • password hashing
  • server infrastructure/security

In case of security breaches

  • what can be lost
  • history