Security is something I take very seriously in the development of Crafty. I have taken many steps to help ensure that Crafty is as secure as possible with very little user interaction. This page outlines the security model of Crafty and the things I have done to help ensure a safe secure system.
SSL / HTTPS By Default:
Crafty is SSL / HTTPS by default. Upon launch, Crafty will look in the app/web/certs folder for certificates (crafty.cert and crafty.key). If these files are not found, Crafty will automatically generate you a RSA 4096 key file, and a sha256 Cert. This is a self signed cert so you will still get a warning, but the traffic is secure. If you wish to replace the certs with normal, non-self signed cert file (such as let’s encrypt), simply replace the crafty.cert and crafty.key files and it will use those certs. Crafty will not over write those files.
Crafty uses Argon2 for storage of it’s passwords. Argon2 is the winner of the Password Hashing Competition. It’s password storage is extremely secure. It is very resistant to GPU Powered cracking attempts. You can read more about it here. I recommend using 25 character passwords, with spaces. Something like “0avert-9welsh-White-false1” is much better than “H.s9xgh29*2!”
Sign in Cookies
Tornado uses a secure cookie for verification of being logged in. You can read about it here . Cookies can be modified by the client, this is why we use the secure cookies which are encrypted. The encryption secret phrase is a random phrase that is changed each time Crafty starts. I do this for 2 reasons. The encryption key will change with server reloads, so even if someone does crack the secure key, it will change next server reload. The other reason is so that each Crafty instance, will be completely different from another.
XSS and XSRF
Cross site scripting and forgery. Tornado uses xsrf_cookies in Crafty. This will put an encrypted key requirement in each post request. This is done to ensure that only Crafty can send commands to your servers via the API. This will prevent others from sending data to your server. You can read more about it here
If you happen to think of other ways for Crafty to be secure, please drop me a line on our discord 🙂