Quantcast

Jump to content


Neocodex Technology Blog



SSL Implementation on Neocodex

Posted by ShadowLink64, in Neocodex, Store, Programming 17 December 2012 · 999 views

SSL Implementation on Neocodex As mentioned in this news post, Neocodex now uses Secure Sockets Layer (SSL) to protect our users from eavesdropping attacks that may occur from using unfamiliar/insecure networks.

But how did we get it all set up?

Modern-day SSL essentially offers two benefits to the end user:
  • Security: Encrypts the traffic between client and server so that a third-party cannot eavesdrop on the data.
  • Trust: Lets the end user know that the identity of the organization using SSL has been verified.
It is possible to implement the former without the latter using self-signed certificates, but we wanted both of these benefits. Because of this, we needed to be issued a certificate from a reputable Certificate Authority (CA) who could verify our identity.

First we needed to generate a private key on our server (*.key file), and then create a Certificate Signing Request (CSR) using that key. This request is then provided to the CA, and once our identity has been verified, a certificate is provided to us in the form of a *.crt file. Our identity was verified using our domain and IP information, as well as having a valid e-mail address associated with our domain. Many CAs go a step further in their background check, but we simply wanted basic assurance for our users instead of nothing at all.

So now, here's where things get a bit technical. We now needed to give our web server enough knowledge so that if anyone wants to connect to us using SSL (by having https:// in their URL bar), it can take care of all of that for us. The things we needed to provide to our web server are:
  • Neocodex's private key (*.key), and neocodex's certificate from the CA (*.crt) combined into one file with extension *.pem
  • The Certificate Authority's own certificate (ca.crt) -- you can find this publicly available on their website.
In lighttpd, this can be done with the following code (inside lighttpd.conf):
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/path/to/ca.crt"
ssl.pemfile = "/path/to/neocodex.pem"
}

Now, some complications arise when you want to enable SSL on multiple domains. We run a separate site that we sell Neocash from, and so we generated a *.pem file for that domain as well. But, we need to tell lighttpd to use the correct pem file for each domain. This technique is called Server Name Identification, and is implemented in lighttpd the following way:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/path/to/ca.crt"
ssl.pemfile = "/path/to/neocodex.pem"

$HTTP["host"] =~ "neocodex.us" {
ssl.pemfile = "/path/to/neocodex.pem"
ssl.ca-file = "/path/to/ca.crt"
}

$HTTP["host"] =~ "otherdomain.com" {
ssl.pemfile = "/path/to/otherdomain.pem"
ssl.ca-file = "/path/to/ca.crt"
}
}
Notice that we reference neocodex.pem twice -- we have to give lighttpd a default pem file to use if neither of these domains are requested, so we use neocodex's certificate if all else fails.

And that's it! After restarting lighttpd, any requests made to https://www.neocodex.us/* are encrypted using a 256-bit algorithm. :p


Dealing with fraudulent charges

Posted by Hydrogen, in Store 09 September 2012 · 2410 views

As most of you must have seen by now, we have just banned user emotoyol from using our site. Through a series of strange events, we discovered that the user had used stolen credit cards on our site to purchase two and a half years of advanced membership at once. In this blog post, I'll explain what happened, how we resolved it, and what we've done to make sure it never happens again.

What happened
Neocodex admins receive notifications from multiple data sources whenever someone makes a purchase on our website. I personally receive emails and push notifications on my phone. By now, we've gotten to know our most frequent customers and are diligent about correcting any mistakes in purchasing. Some of you have received a PM from me when you didn't get the coupon discount that you deserved or accidentally paid twice for a product that you only wished to pay once for. In all of those situations, we've resolved the issue quickly and efficiently so that everyone can be on their way.

On September 2, 2012, Neocodex admins received a notification that one user, emotoyol, had purchased $157 worth of advanced membership in five minutes. Mostly everyone purchases one month, three months, or six months at a time. In case you are wondering, $157 equals about two and a half years of advanced membership! As I always do when I see something weird, I contacted the user about the transaction.

Posted Image

As you can see, the user read the PM on September 7, 2012 last, but never responded. In a bit of a strange series of events, we discovered that this user had stolen the credit cards used in making these purchases. Our Facebook page started receiving posts by two people, one of which was the person who had his credit card stolen. They were both, understandably, pretty angry about the situation.

Posted Image

I got in touch with the Facebook user who had his credit card stolen by email and we discovered that the issue was a lot larger than just his credit card. I discovered from the credit card processor's logs that emotoyol, while living in Malaysia, had used a credit card from the United States of America, Denmark, and Greece, all within five minutes to purchase advanced membership from our site.

How we resolved it
We have refunded all of the payments received by emotoyol back to their originating credit cards. In addition, we have banned emotoyol from our site based on account, IP address, and hardware ID.

Neocodex admins are currently working to resolve this issue with Stripe (our credit card processor). So far, we've only sent an email to Stripe informing them of the issue. Being the first time I've ever had to deal with fraudulent activity, we've deferred to them on what the best plan of action is. We may be contacting the local authorities regarding this user and will provide whatever information is necessary to help with the investigation.

What we have done to make sure it will never happen again
The ability to purchase such large quantities of advanced membership at once was due to a bug in our e-commerce system which allowed users to upgrade to and from deprecated packages that were still set to have infinite amounts of stock instead of the zero stock that they should have had. That bug has been fixed in our system and should not occur again.

Furthermore, we have implemented extra fraud checks by purchasing a subscription to Maxmind.net. Maxmind analyzes transaction information and returns a fraudulence score back to our servers which can help us determine whether or not a transaction should be reviewed or declined. These fraud checks run in addition to the fraud checks that are run by Stripe (our credit card processor) and Paypal, depending on which payment method you choose.

Conclusion
This was the first time we've had to deal with truly fraudulent payments on Neocodex. As with all firsts, I can truly say that I've learned a lot in the last two hours :p. While we have refunded all transactions, I sincerely hope that we can get the money back to the people it belongs to. Credit card fraud is serious business and this was a strange situation to wake up to on Sunday morning :p. The investigation is still ongoing, but I believe that the changes we have made will protect us in the future from getting into this situation in the first place.





Search My Blog

Recent Comments

Latest Visitors