Hi Scott Just to add to Rob’s excellent answer that the upcoming TiddlyWiki 5.1.18 includes native support for serving over HTTPS. Sadly, hosting SSL services with a self-signed certificate requires some messing around to tell your browsers to trust the certificate, but once set up it does offer robust protection against network traffic snooping.
You can see the docs for the HTTPS support here: https://tiddlywiki.com/prerelease/#Using%20HTTPS:WebServer%20%5B%5BUsing%20HTTPS%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-key%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-cert%5D%5D There are of course still scenarios where it makes sense to put TW behind nginx or another proxy (eg defense again DDOS attacks). Best wishes Jeremy. > On 30 Aug 2018, at 01:44, Rob Hoelz <[email protected]> wrote: > > Hi Scott, > > So take everything I'm about to say with a giant grain of salt - a lot of > this assumes that an attacker is very interested in your wiki! > > If you were sitting in a café with your laptop connected to unencrypted WiFi > and you were connecting to TiddlyWiki on your laptop from your phone, the > contents of your wiki would be visible to anyone wanting to sniff traffic out > of the air. From a cursory look at the TiddlyWiki server code, it looks to > me like TiddlyWiki uses basic authentication, which means one could easily > derive your username and password from this traffic. Without observing > traffic an attacker would have a harder time, but I guess they could port > scan to find open ports on your laptop and try to brute-force your username > and password - assuming the network operator allows different WiFi clients to > talk to each other. > > Regarding port forwarding, you're in a similar situation - TiddlyWiki serves > its traffic over HTTP, so anyone between the machine accessing your > TiddlyWiki and your home router could sniff this traffic. > > To fix packet sniffing, this is fairly easy to guard against (I'm not sure > how technical of a background you have, so be warned - here be dragons!) - > you could use an HTTPS reverse proxy like nginx with Let's Encrypt to provide > a certificate to encrypt the traffic between your laptop or router and your > Android/iOS device. > > To protect against brute forcing, you would probably want some mechanism to > deny a user after a certain number of incorrect tries, like fail2ban. > > -Rob > > On Wednesday, August 29, 2018 at 5:25:11 PM UTC-5, Scott Kingery wrote: > After some poking around this forum I've been starting my tiddlywiki on my > LAN with: > tiddlywiki .\mytiddlywiki --server 12864 $:/core/save/lazy-images text/plain > text/html "myusername" "*MYsecretPassword" 0.0.0.0 > > It's cool because I can get to my wiki from anywhere on the LAN and works > nice on Android and iOS because I can browse to the wiki without much other > hassle. > > Not too worried about security because the only one who knows about it is me. > I am wondering how secure this is if it were on a larger LAN than my house? > Or maybe some port forwarding to get to my server from outside my LAN. > > Thanks, > Scott > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/tiddlywiki > <https://groups.google.com/group/tiddlywiki>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/b6d80db9-1904-4190-b16c-418b7842b033%40googlegroups.com > > <https://groups.google.com/d/msgid/tiddlywiki/b6d80db9-1904-4190-b16c-418b7842b033%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/933B7AC0-9F00-4F8D-9177-6C96354247C0%40gmail.com. For more options, visit https://groups.google.com/d/optout.
