Deploy better security practices

[athersharif]

#988 brought up a good discussion wrt to security best practices. At present, it seems like the reliance is solely on the HTTPS protocol, and we enforce the HTTPS protocol by doing a 302 redirect from HTTP to HTTPS.

The issue here is that the HTTPS protocol has been attacked (quite successfully) over time and the best suggestion that experts offer is to keep the browsers updated on the client side. One good way to ensure better security would be to use a SHA-1 (or maybe SHA-256, considering the performance-security tradeoff) key pair to encrypt/decrypt the keys.

The architecture/process would look something like this:

• Encrypt the password before making the POST call on client side using the public key.
• Decrypt the password on the server side using the private key.
• If login is successful, the server should generate a JWT token, which can be used by the client side browsers to check expiration, validity, etc.
• The JWT token would be stored in the browser as a session cookie.

The usage of a public/private key strategy would basically take away all the plaintext passwords and in terms of a security breach, it'd be easy to rotate the keys. Would also assist in access management.

[maubinle]

Something else we may want to consider as a solution for better security is federation -- we could integrate with Google or Facebook to have people use existing accounts (no need for a new password!) and to extricate ourselves from the auth process.

[jonfroehlich]

Thanks for the idea @maubinle. Problem with this is IRB imo. We want to give people the choice to authenticate with pseudonyms and nothing tied to their actual accounts (also, Google and FB are increasingly evil in their data handling standards). :)