|
|
@@ -6,9 +6,9 @@ Below are some lists of differences between this version of Gazelle and What.cd'
|
|
6
|
6
|
|
|
7
|
7
|
#### Integrated Database Encryption
|
|
8
|
8
|
|
|
9
|
|
-Using a database key [provided by staff](sections/tools/misc/database_key.php) and only ever stored as a hash in memory (via APC), the [integrated database encryption](classes/dbcrypt.class.php) is used to encrypt sensitive user data like IP addresses, emails, and private messages regardless of the underlying system gazelle is running on.
|
|
|
9
|
+Using a database key [provided by staff](sections/tools/misc/database_key.php) and only ever stored as a hash in memory (via APCu), the [integrated database encryption](classes/dbcrypt.class.php) is used to encrypt sensitive user data like IP addresses, emails, and private messages regardless of the underlying system gazelle is running on.
|
|
10
|
10
|
|
|
11
|
|
-The rest of gazelle must be aware that some of the data it fetches from the DB is encrypted, and must have a fallback if that data is unavailable (the key is not in memory). You will see plenty of `if (!apc_exists('DBKEY')) {` in this codebase.
|
|
|
11
|
+The rest of gazelle must be aware that some of the data it fetches from the DB is encrypted, and must have a fallback if that data is unavailable (the key is not in memory). You will see plenty of `if (!apcu_exists('DBKEY')) {` in this codebase.
|
|
12
|
12
|
|
|
13
|
13
|
#### Authorized Login Locations
|
|
14
|
14
|
|
|
|
@@ -20,6 +20,10 @@ This prevents most attacks that would be otherwise successful, as it requires an
|
|
20
|
20
|
|
|
21
|
21
|
Despite our other (less intrusive) methods of protecting user accounts being more than sufficient for virtually all feasible attacks, we also ship optional 2FA should users feel the need to enable it.
|
|
22
|
22
|
|
|
|
23
|
+#### Universal 2nd Factor
|
|
|
24
|
+
|
|
|
25
|
+Support for physical U2F tokens has also been added as an optional alternative to normal 2FA. U2F allows users to protect their account with something less likely to be lost or erased than 2FA keys stored on a phone.
|
|
|
26
|
+
|
|
23
|
27
|
#### Unique Infohashes
|
|
24
|
28
|
|
|
25
|
29
|
Upon upload, torrent files are modified to contain a "source" field in the info dict containing the concatination of the site name and some generated junk data (unique per-torrent). This prevents infohash collisions with torrents cross-seeded from other sites in the same client, and also helps protect against some not particularly likely peer-leaking attacks.
|
|
|
@@ -42,7 +46,7 @@ Like most gazelle forks, we've added a [bonus point system](sections/schedule/ho
|
|
42
|
46
|
|
|
43
|
47
|
#### Modern password hashing
|
|
44
|
48
|
|
|
45
|
|
-We use new PHP password hashing features that automatically rehash your password when a better hashing algorithm is made available and employ prehashing to allow you to use a secure password of any length. Original gazelle would effectively truncate your password after around 72 characters (if the tracker even allowed you to use a password that long). This codebase does not have the same problem, and allows passwords of virtually unlimited length (over 30,000 characters by default) that remain useful after a few tens of characters.
|
|
|
49
|
+We use modern PHP password hashing features that automatically rehash your password when a better hashing algorithm is made available and employ prehashing to allow you to use a secure password of any length. Original gazelle would effectively truncate your password after around 72 characters (if the tracker even allowed you to use a password that long). This codebase does not have the same problem, and allows passwords of virtually unlimited length (over 30,000 characters by default) that remain useful after a few tens of characters.
|
|
46
|
50
|
|
|
47
|
51
|
## Minor Changes
|
|
48
|
52
|
|
