Secure connection to server

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure connection to server

Rick Harrison via use-livecode
A little while ago in this forum we were alerted to the fact that LC direct connection to a remote database not using SSL was a security hole. This also applies to managing Mailman lists on a remote server.

After a steep (re-)learning curve with the various technologies, I now have a working method in place for both mysql and Mailman connections, using php as middleware and posting via curl in a shell script. But it is sooo slooow.

Direct connection downloaded an sql query in a fraction of a second. It now takes over a second. This is acceptable (barely) for an isolated call,  but I sometimes need to make a sequence of posts. As I understand it, the slowness is due to the time required to establish the secure connection, not an LC problem. For example establishing an ssh connection in Terminal is even slower; but once established an ssh session is super fast. Similarly curl will reuse authentication credentials within a shell session, so I aggregate as many calls as I can with a single shell script before using shell(myscript), and this definitely helps.

What I would like to do however is use LC server as the middleware: I could then process the required data on the server side; I could not contemplate using php to do this. I suspect the LC post command uses curl under the hood, but I also suspect each post call would create its own session. I don’t think it is possible to establish a single session to talk sequentially to lcserver; if so this would be too slow. Am I correct?

Actually I guess I could  just use my present method using curl and shell() instead of post, but addressed to an .lc script instead of .php?

Or is there a whole better way to do what I want?

Neville Smythe



_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Secure connection to server

Rick Harrison via use-livecode
I created a simple client and server stack combo that uses sockets to pass an encrypted stream of data back and forth. I have been meaning to implement it for the very reasons you suggest, but since the nature of the data doesn’t demand it, and since I develop basically gratis for the company I work for, it hasn’t been a priority. The concept is simple though. Start with a server stack that listens on a certain port, then create a client stack that opens a port to that server. (You can’t do it on a single workstation, the server has to be a different device.)

Once you have that, code the server to accept the data, then send it back to the client. Once that is working, encrypt / decrypt the data both ways and check that what you sent is what you receive.

Finally code the server to receive the data, do some process then return the resulting data. Simple, right? :-)

Bob S


On Dec 15, 2020, at 4:32 PM, Neville Smythe via use-livecode <[hidden email]<mailto:[hidden email]>> wrote:

A little while ago in this forum we were alerted to the fact that LC direct connection to a remote database not using SSL was a security hole. This also applies to managing Mailman lists on a remote server.

After a steep (re-)learning curve with the various technologies, I now have a working method in place for both mysql and Mailman connections, using php as middleware and posting via curl in a shell script. But it is sooo slooow.

Direct connection downloaded an sql query in a fraction of a second. It now takes over a second. This is acceptable (barely) for an isolated call,  but I sometimes need to make a sequence of posts. As I understand it, the slowness is due to the time required to establish the secure connection, not an LC problem. For example establishing an ssh connection in Terminal is even slower; but once established an ssh session is super fast. Similarly curl will reuse authentication credentials within a shell session, so I aggregate as many calls as I can with a single shell script before using shell(myscript), and this definitely helps.

What I would like to do however is use LC server as the middleware: I could then process the required data on the server side; I could not contemplate using php to do this. I suspect the LC post command uses curl under the hood, but I also suspect each post call would create its own session. I don’t think it is possible to establish a single session to talk sequentially to lcserver; if so this would be too slow. Am I correct?

Actually I guess I could  just use my present method using curl and shell() instead of post, but addressed to an .lc script instead of .php?

Or is there a whole better way to do what I want?

Neville Smythe

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

RE: Secure connection to server

Rick Harrison via use-livecode
I'm able to have the socket client and server on the same device. (Win 10)

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]


-----Original Message-----
From: use-livecode [mailto:[hidden email]] On Behalf Of Bob Sneidar via use-livecode
Sent: Tuesday, December 22, 2020 4:34 PM
To: How to use LiveCode
Cc: Bob Sneidar
Subject: Re: Secure connection to server

I created a simple client and server stack combo that uses sockets to pass an encrypted stream of data back and forth. I have been meaning to implement it for the very reasons you suggest, but since the nature of the data doesn’t demand it, and since I develop basically gratis for the company I work for, it hasn’t been a priority. The concept is simple though. Start with a server stack that listens on a certain port, then create a client stack that opens a port to that server. (You can’t do it on a single workstation, the server has to be a different device.)

Once you have that, code the server to accept the data, then send it back to the client. Once that is working, encrypt / decrypt the data both ways and check that what you sent is what you receive.

Finally code the server to receive the data, do some process then return the resulting data. Simple, right? :-)

Bob S


On Dec 15, 2020, at 4:32 PM, Neville Smythe via use-livecode <[hidden email]<mailto:[hidden email]>> wrote:

A little while ago in this forum we were alerted to the fact that LC direct connection to a remote database not using SSL was a security hole. This also applies to managing Mailman lists on a remote server.

After a steep (re-)learning curve with the various technologies, I now have a working method in place for both mysql and Mailman connections, using php as middleware and posting via curl in a shell script. But it is sooo slooow.

Direct connection downloaded an sql query in a fraction of a second. It now takes over a second. This is acceptable (barely) for an isolated call,  but I sometimes need to make a sequence of posts. As I understand it, the slowness is due to the time required to establish the secure connection, not an LC problem. For example establishing an ssh connection in Terminal is even slower; but once established an ssh session is super fast. Similarly curl will reuse authentication credentials within a shell session, so I aggregate as many calls as I can with a single shell script before using shell(myscript), and this definitely helps.

What I would like to do however is use LC server as the middleware: I could then process the required data on the server side; I could not contemplate using php to do this. I suspect the LC post command uses curl under the hood, but I also suspect each post call would create its own session. I don’t think it is possible to establish a single session to talk sequentially to lcserver; if so this would be too slow. Am I correct?

Actually I guess I could  just use my present method using curl and shell() instead of post, but addressed to an .lc script instead of .php?

Or is there a whole better way to do what I want?

Neville Smythe

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Secure connection to server

Rick Harrison via use-livecode
Hmmm… didn’t work on my Mac. Not sure why, it may be something I did.

Bob S


On Dec 22, 2020, at 1:48 PM, Ralph DiMola via use-livecode <[hidden email]<mailto:[hidden email]>> wrote:

I'm able to have the socket client and server on the same device. (Win 10)

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]<mailto:[hidden email]>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

RE: Secure connection to server

Rick Harrison via use-livecode
Tried it on Mac (Mojave) and it worked. Though I did have to use the IP address rather than the Mac's name in the client. I wonder what I'm doing wrong?

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]

-----Original Message-----
From: use-livecode [mailto:[hidden email]] On Behalf Of Bob Sneidar via use-livecode
Sent: Tuesday, December 22, 2020 4:48 PM
To: How to use LiveCode
Cc: Bob Sneidar
Subject: Re: Secure connection to server

Hmmm… didn’t work on my Mac. Not sure why, it may be something I did.

Bob S


On Dec 22, 2020, at 1:48 PM, Ralph DiMola via use-livecode <[hidden email]<mailto:[hidden email]>> wrote:

I'm able to have the socket client and server on the same device. (Win 10)

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]<mailto:[hidden email]>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Secure connection to server

Rick Harrison via use-livecode
I think I remember why I couldn’t do it. I was using the loopback connector for some reason.

Bob S


On Dec 22, 2020, at 2:21 PM, Ralph DiMola via use-livecode <[hidden email]<mailto:[hidden email]>> wrote:

Tried it on Mac (Mojave) and it worked. Though I did have to use the IP address rather than the Mac's name in the client. I wonder what I'm doing wrong?

Ralph DiMola
IT Director
Evergreen Information Services
[hidden email]<mailto:[hidden email]>

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Secure connection to server

Rick Harrison via use-livecode
In reply to this post by Rick Harrison via use-livecode
There was supposedly an effort to enable secure Postgres connection a few years ago, but it seems to have withered and died.

I had to give up on mysql for postgesql one the need to send compound queries.  AFAIK, you still can’t do a block mysql transaction in mysql with livecode, making rollback impossible. (Well, I suppose you *could* do a big runaround with timestamps and faux “transaction” keys, but you’re still counting on the client end not failing).

If I got forward with the project, I’m going to be encrypting the data at the client end.  It limits the types of transactions possible, but that’s fine for what I do.  (But an actual secure Postgres connection would be far better . . . )


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: Secure connection to server

Rick Harrison via use-livecode
In reply to this post by Rick Harrison via use-livecode
I have now moved all my code from php to LiveCode server as the middle-ware.

Firstly it appears that the LiveCode post operation does reuse authentication credentials to an https connection as long as calls are made within a single script. In my case the first call typically takes slightly more than 1 second, subsequent calls in the same script take under half a second.

This is still not adequate to conduct a conversation with the remote database, as was possible when connecting directly, but at least in my case I can get away with just two calls from clients to server: first “tell me the current status of all this stuff”, second “please update the db using this stuff”. It means packing and unpacking “stuff” into large files at each end, but LC is so easy and efficient at text processing that was not difficult. Indeed as usual with refactoring, I found a number of code improvements.

The remaining really slow operation involves managing the mail distribution lists. DreamHost is still using Mailman 2.x, so that the only way to get the current list of subscribers is to scrape the admin web pages. There is a well known subscriberlist.py python script to do this but it is painfully slow. When used directly (insecurely) from the client, this took 10 seconds or so to gather 175 subscribers. Transferring this to the server side with lc authentication in-between, it now takes 14 to 15 seconds; I’m not sure why it is more that 2 seconds slower but it is what it is. I have rewritten this as an lc script, which shaves a couple of seconds off; to be fair the python script is doing rather more than my lc script as it is much more generic. And on the other hand I can understand what my script is doing, whereas the python script is rather opaque (to me).

So overall I am very happy with LC server. And I have a new toy to play with for the New Year.

Neville

> On 16 Dec 2020, at 11:32 am, Neville Smythe <[hidden email]> wrote:
>
> A little while ago in this forum we were alerted to the fact that LC direct connection to a remote database not using SSL was a security hole. This also applies to managing Mailman lists on a remote server.
>
> After a steep (re-)learning curve with the various technologies, I now have a working method in place for both mysql and Mailman connections, using php as middleware and posting via curl in a shell script. But it is sooo slooow.
>
> Direct connection downloaded an sql query in a fraction of a second. It now takes over a second. This is acceptable (barely) for an isolated call,  but I sometimes need to make a sequence of posts. As I understand it, the slowness is due to the time required to establish the secure connection, not an LC problem. For example establishing an ssh connection in Terminal is even slower; but once established an ssh session is super fast. Similarly curl will reuse authentication credentials within a shell session, so I aggregate as many calls as I can with a single shell script before using shell(myscript), and this definitely helps.
>
> What I would like to do however is use LC server as the middleware: I could then process the required data on the server side; I could not contemplate using php to do this. I suspect the LC post command uses curl under the hood, but I also suspect each post call would create its own session. I don’t think it is possible to establish a single session to talk sequentially to lcserver; if so this would be too slow. Am I correct?
>
> Actually I guess I could  just use my present method using curl and shell() instead of post, but addressed to an .lc script instead of .php?
>
> Or is there a whole better way to do what I want?
>
> Neville Smythe
>
>


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode