Thanks, Rob and Jeremy. Both answers make sense to me. The contents of the wiki I'm using to test this would put any attacker to sleep if they did see the traffic over the wire :) I'll probably try out the HTTPS features in the future if only to learn how it all works.
Thanks again for the explanation and links! On Thursday, August 30, 2018 at 4:49:41 AM UTC-7, Jeremy Ruston wrote: > > Hi Scott > > Just to add to Rob’s excellent answer that the upcoming TiddlyWiki 5.1.18 > includes native support for serving over HTTPS. Sadly, hosting SSL services > with a self-signed certificate requires some messing around to tell your > browsers to trust the certificate, but once set up it does offer robust > protection against network traffic snooping. > > You can see the docs for the HTTPS support here: > > > https://tiddlywiki.com/prerelease/#Using%20HTTPS:WebServer%20%5B%5BUsing%20HTTPS%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-key%5D%5D%20%5B%5BWebServer%20Parameter%3A%20tls-cert%5D%5D > > There are of course still scenarios where it makes sense to put TW behind > nginx or another proxy (eg defense again DDOS attacks). > > Best wishes > > Jeremy. > > On 30 Aug 2018, at 01:44, Rob Hoelz <[email protected] <javascript:>> > wrote: > > Hi Scott, > > So take everything I'm about to say with a giant grain of salt - a lot of > this assumes that an attacker is *very *interested in your wiki! > > If you were sitting in a café with your laptop connected to unencrypted > WiFi and you were connecting to TiddlyWiki on your laptop from your phone, > the contents of your wiki would be visible to anyone wanting to sniff > traffic out of the air. From a cursory look at the TiddlyWiki server code, > it looks to me like TiddlyWiki uses basic authentication, which means one > could easily derive your username and password from this traffic. Without > observing traffic an attacker would have a harder time, but I guess they > could port scan to find open ports on your laptop and try to brute-force > your username and password - assuming the network operator allows different > WiFi clients to talk to each other. > > Regarding port forwarding, you're in a similar situation - TiddlyWiki > serves its traffic over HTTP, so anyone between the machine accessing your > TiddlyWiki and your home router could sniff this traffic. > > To fix packet sniffing, this is fairly easy to guard against (I'm not sure > how technical of a background you have, so be warned - here be dragons!) - > you could use an HTTPS reverse proxy like nginx with Let's Encrypt to > provide a certificate to encrypt the traffic between your laptop or router > and your Android/iOS device. > > To protect against brute forcing, you would probably want some mechanism > to deny a user after a certain number of incorrect tries, like fail2ban. > > -Rob > > On Wednesday, August 29, 2018 at 5:25:11 PM UTC-5, Scott Kingery wrote: >> >> After some poking around this forum I've been starting my tiddlywiki on >> my LAN with: >> tiddlywiki .\mytiddlywiki --server 12864 $:/core/save/lazy-images >> text/plain text/html "myusername" "*MYsecretPassword" 0.0.0.0 >> >> It's cool because I can get to my wiki from anywhere on the LAN and works >> nice on Android and iOS because I can browse to the wiki without much other >> hassle. >> >> Not too worried about security because the only one who knows about it is >> me. I am wondering how secure this is if it were on a larger LAN than my >> house? Or maybe some port forwarding to get to my server from outside my >> LAN. >> >> Thanks, >> Scott >> > > -- > You received this message because you are subscribed to the Google Groups > "TiddlyWiki" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at https://groups.google.com/group/tiddlywiki. > To view this discussion on the web visit > https://groups.google.com/d/msgid/tiddlywiki/b6d80db9-1904-4190-b16c-418b7842b033%40googlegroups.com > > <https://groups.google.com/d/msgid/tiddlywiki/b6d80db9-1904-4190-b16c-418b7842b033%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/5712d2c9-d88b-4933-88b0-7fca1876f529%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
