Deprecating some outdated settings

July 25, 2024

In MIDAS v4.37, we’re deprecating some outdated privacy and security settings.

In this post, we’ll outline what’s changing and explain the reasons behind the decision to remove these options.

“SSL Access” setting has been removed

In the early days of the World Wide Web, you connected to websites over “http”.

“http” connections were not secure and could be intercepted. So along came “https”, which allowed visitors to connect to websites over encrypted Secure Socket Layer – or SSL – connections.

However, adoption of “https” was initially slow by the majority of the World Wide Web. Primarily, this was due to SSL certificates being very expensive. Large financial institutions were naturally quick to jump on https. However, the price of SSL certificates put securing websites with https out of reach of the average webmaster. Especially when the cost to renew them every 1-2 years was factored in.

Now, as you may know, we’ve been developing our web based MIDAS room booking software for nearly 20 years now! When we first began to offer a “cloud hosted” booking system to customers (way back in 2007), SSL/https use around the web was not wide spread, and was expensive to implement.

Initially in 2007, we offered our cloud-hosted customers the option of being able to access their hosted MIDAS system over secure https. This was available via an optional (paid) addon for their scheduling system.

By June 2011, we’d recognized the importance and benefit of secure SSL connections for all our customers to their MIDAS systems. We therefore introduced better support for secure SSL connections with MIDAS v3.13.

As part of this, we added a new “SSL Access” setting to v3.13. This allowed administrators to control whether insecure http and/or secure https connections would be permitted to their MIDAS system.

In August 2012, we then took the further decision to include an SSL Certificate to enable secure connections for all our existing and future cloud hosted customers. At the same time, we enforced https connections to all hosted MIDAS system.

Consequently, the “SSL Access” option first introduced in MIDAS v3.13 became redundant for our cloud-hosted customers. Since 2015 and MIDAS v4.09, this option has no longer been available in cloud-hosted editions of our booking system.

In the following years, gradually the cost of SSL certificates reduced. Then in 2016, along came a game-changing service called “Let’s Encrypt“. Let’s Encrypt offered FREE SSL certificates for all. This finally allowed every webmaster the ability to “secure” visitor connections to their websites at zero cost.

In May 2018 we migrated all our cloud-hosted customer’s SSL certificates from expensive GlobalSign certificates to ones issued for free by Let’s Encrypt instead.

Now, in 2024, SSL/https certificates are the norm – in fact, all modern web browsers now alert you if you attempt to visit an insecure website via http.

So whilst we removed the “SSL Access” settings in cloud-hosted MIDAS systems back in 2015, we’re now also removing these settings for self-hosted customers starting with MIDAS v4.37.

“Allowed IP Range” setting has been removed (self hosted editions only)

The “Allowed IP Range” setting is one of the earliest security settings we provided in our room booking system. In fact, it was first introduced in v1.35 back in August 2007.

The setting allows an administrator to restrict access to their MIDAS system to an IP address or range.

This can be useful if a MIDAS system is hosted on a public-facing web server, which potentially could be accessed by anyone worldwide. The “Allowed IP Range” setting can be used to restrict access to users in your own country, organization, or to just you!

However, one of the limitations of this setting is that it only supports ipv4 address, and not ipv6 addresses.

Also, in the years since this setting was first introduced, other security and firewall products are available which provide greater control over access to websites, apps, and servers.

Therefore, starting with MIDAS v4.37, we have removed the “Allowed IP Range” setting in self-hosted editions.

If you’re a self-hosted customer and wish to restrict access to your MIDAS system by IP address you should consider other options to achieve this.

For instance, on Apache servers, you can easily allow/deny access by ip address/range in your httpd.conf or .htaccess files. For more information, please see Apache’s guidance on access control.

“Do Not Track (dnt)” has been superseded by “Global Privacy Control”

Honor user's Do Not Track preference setting in MIDAS — Honor user’s Do Not Track preference setting in MIDAS

“Do Not Track” – or ‘dnt’ for short – was an official HTTP header first proposed in 2009. It was intended to allow user to opt-out of tracking by websites.

By 2011, all major web browsers had implemented support for the proposed “Do Not Track” features.

In 2017, with the release of MIDAS v4.16, we included an “Honor user’s Do Not Track preference” setting.

If enabled (and if an end-user had also enabled the “Do Not Track” feature in their browser), MIDAS would not log the user’s IP address in the Recent Activity Log.

However, globally, recognition and support of the “Do Not Track” HTTP header by websites was poor. So much so that in Janurary 2019, the “Do No Track” HTTP header was officially deprecated. A month later, Apple removed DNT support from their Safari browser.

Whilst some other browsers still continue to offer a “Do Not Track” setting, it has since been supersede by a new “Global Privacy Control” – or GPC – header.

At time of writing, Global Privacy Control is still classed as an “experimental” and “non standard” technology, and it’s behaviour may change in the future.

But for MIDAS v4.37, we’ll support both DNT and GPC features. The “Honor user’s Do Not Track preference” setting will be renamed to “Honor user’s privacy preferences” to reflect this.

It’s likely that in a future update we’ll fully drop support the deprecated “DNT” header. At time of writing though, as some browsers still support it, we’ll continue to support it too.

Tags: LetsEncrypt, privacy, security, ssl, v4.37

Permalink

MIDAS v4.36 Out Now!

Filed Under: News, Releases

May 28, 2024

Last month we released a new update to our MIDAS room booking and resource scheduling software.

For this latest update we made a host of improvements to the user interface, including most notably a new “Default” theme.

The New Default Theme

MIDAS includes a number of pre-built visual themes, which an administrator can select for use throughout the software. Additionally, an administrator may optionally allow users to select their preferred theme upon login.

Our recent research showed that around 72% of MIDAS systems are set to use the “Default” theme. Surprisingly though, the second most popular theme is the “HiContrast” theme. Whilst the design intent behind the “HiContrast” theme was to provide greater accessibility to those with additional visual need, we know many customers actually choose this theme as they find the default theme “too blue”!

We’ve listened, and as such, for v4.36 we’ve developed a new toned-down “Default” theme that’s a lot less “intense” blue than before:

We feel this new “Default” theme is easier on the eye and looks more professional. It provides a new alternative to those using the “HiContrast” primarily for a more simple/basic “look” to their MIDAS system.

You can view this new “Default” theme (or any of the other included themes) right now over in our public demo!

If you still like the previous “Default” blue-themed theme better, don’t worry! It’s still available in v4.36, but is now called “MIDAS (Blue)”.

We’ve also made a numerous other improvements to the user interface across all included themes. Some text and headings are now larger than before, dialogs are clearer, there’s increased spacing between certain elements, and some interactive buttons are now larger and more prominent too.

Other notable improvements in v4.36:

Receive Watch notifications on invoice payments

You can now setup a Watch notification to be alerted whenever customers pay their MIDAS generated invoices – Read more…

One-Stop Database Cleanup tool

MIDAS includes a number of “Database Tools” to help you remove obsolete data and keep your database running efficiently.

For v4.36, we’ve added a new “One-Stop Cleanup” tool which collectively runs several database tools. Performing a “One-Stop Cleanup” will:

Remove bookings that occurred more 5 years ago
Remove invoices that were paid more than 5 years ago
Remove clients with no bookings in the past 2 years
Remove users who have not logged in for more than 1 year
Optimize the database

Improved Device Detection

For increased security, whenever you login from a new or unfamiliar device, MIDAS can send you an email alert with details of the browser, device, and location (with our optional Geolocation addon) that’s just logged in.

Until now, MIDAS has been unable to distinguish between certain operating system versions. For example, Windows 10 and Windows 11, or MacOS Ventura and Sonoma. This is due to recent privacy changes in browsers, which no longer natively report the specific version of the operating system they’re running on.

We’ve made improvements to device detection for MIDAS v4.36, so unfamiliar login notifications (if enabled) will now provide more accurate information as to the operating system of the new device which has logged into your account.

Improved Filtering

We’ve added additional “does not start/end with” advanced filtering options when printing in v4.36.

You can now also apply apply filters when exporting bookings.

The new version of MIDAS also includes stability and performance improvements, and fixes for several issues that have been detected or reported since the release of v4.35. View the v4.36 changelog.

How To Get MIDAS v4.36…

New to MIDAS?

You can try MIDAS v4.36 for yourself with absolute no obligation to purchase!

We offer both a free functional online public demo, as well as the opportunity for you to try MIDAS free for 30 days.

We offer a choice of both cloud and self hosted solutions, so if you’re ready to get MIDAS working for your organization, you can purchase or subscribe via our secure website.

“Self Hosted” Customers:

Self-Hosted customers with active Support Subscriptions can update to v4.36, and it only takes a couple of clicks.

Simply log in to your MIDAS system and go to MIDAS Admin Options → Manage MIDAS → Update.

“Cloud Hosted” Customers:

All our active Cloud-Hosted customers MIDAS systems have already been update to v4.36.

We seamlessly apply software updates for our cloud hosted customers. So you’ll always have access to the latest features, and never need to worry about running outdated software.

Tags: v4.36

Permalink

Improved Device Detection

Filed Under: Development

April 24, 2024

Whenever your user account is logged into from a new or unfamiliar device, MIDAS can automatically alert you by email. This additional security feature helps keep your account secure by alerting you to suspicious logins. An unfamiliar login notification includes details of the browser, operating system, IP address, and – with our optional Geolocation addon – location, of the device that’s just logged into your account.

Until now, MIDAS has been unable to distinguish between more recent operating system versions. For example, between Windows 10 and Windows 11, or between MacOS Ventura and Sonoma.

This is because MIDAS has relied on the “User Agent” (UA) string that’s presented by the browser that’s logging in.

Here’s an example of a browser’s “User Agent” string presented to a web server:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

There’s a lot of information there, but essentially, from this string MIDAS can derive that it’s a Windows (64 bit) device, and the browser is Google Chrome 123.

Here’s another example:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0

From this, MIDAS can derive that it’s a macOS device, and the browser is Firefox 124.

But wait… can’t MIDAS also determine the exact version of the operating system from these UA strings?

Mac OS X 10.15…. Catalina? …Big Sur? …Monterey? …Ventura?

Doesn’t “Mac OS X 10.15” imply macOS Catalina? ..and doesn’t “Windows NT 10.0” imply Windows 10?

Well, that used to be the case, but not any more!

Modern browsers now “clamp” the versions of more recent macOS/Windows operating systems reported by the User Agent string. For macOS operating systems, the User Agent string will report a maximum of macOS X 10.15. For Windows operating systems, a maximum of Windows 10 will be reported. Browsers no longer natively report the specific version of the operating system they’re running on.

This means that a Chrome browser running on either Windows 10 or Windows 11 will report “Windows NT 10.0”. Similarly, macOS Catalina (10.15), Big Sur (11), Monterey (12), Ventura (13), and Sonoma (14), will all report “Mac OS X 10.15”.

So Windows 10 and 11 are the same then?

In an effort to improve user privacy, browsers have decided to no longer reveal the specific operating system version a user is using when visiting a website, in order to make it harder for websites to “fingerprint” users.

“Fingerprinting” is a technique that some websites employ to uniquely identify and potentially track visitors.

So because of these changes to the way browsers report User Agent strings, it’s been difficult for MIDAS to provide a unfamiliar login notification containing details of exact operating system version that’s been used to login to an account.

But advancements in technology mean that we’ve now been able to make improvements to device detection for MIDAS v4.36.

Utilizing New “Client Hint” technology

Client hints are a set of HTTP request headers that provide useful information about the client such as device type and network conditions. This then allow servers to optimize what is served for those conditions.

Unlike the traditional “User Agent String”, client hints provide a more efficient and privacy preserving way of getting the desired information.

A web server can proactively request the client hint headers they are interested in. The browser can then include the requested headers in subsequent requests.

If the web server upon which a MIDAS system is running proactively requests either the “sec-ch-ua-platform-version” or “ua-platform-version” client hint header, MIDAS can receive details of the user’s operating system version.

Unfamiliar login notifications (if enabled) can then provide much more accurate information as to the operating system of the new device which has logged into your account.

Improved Device Detection in MIDAS v4.36

Web Server Configuration

Because a web server has to proactively request these new client headers in order for browsers to respond to them, servers have to be configured accordingly.

All of our cloud-hosted nodes have been appropriately configured. Our client servers now proactively request the necessary Client Hint headers. This in turn means that all cloud hosted users can start to take advantage of these improvements to device detection and unfamiliar login notifications.

For self-hosted customers, a small configuration change to the web server when your MIDAS system is running from is required.

Details of the configuration change you’ll need to make can be found in our KB article, How to configure your server for Client Hints.

Tags: notifications, security, session, v4.36

Permalink

One-Stop Database Cleanup Tool

Filed Under: Development

April 23, 2024

MIDAS includes a number of handy “Database Tools“.

These tools help system administrators keep their MIDAS systems running efficiently.

The “Cleanup” tools allow for the quick removal of obsolete data within a MIDAS booking system.

Separate tools are provided for removing outdated bookings, invoices, clients, and users respectively.

There’s also an “Optimize Database” tool which runs a series of commands on the underlaying MySQL / MariaDB database to help it run more efficiently.

For v4.36, we’ve added a new “One-Stop Cleanup” tool to the list of cleanup tools. This new tool provides a fast way to collectively run several other cleanup tools.

The actions the new One-Stop Cleanup tool performs are:

Performing a “One-Stop Cleanup” will, in a single action:
Remove bookings that occurred more 5 years ago.
Remove invoices that were paid more than 5 years ago.
Remove clients with no bookings in the past 2 years.
Remove users who have not logged in for more than 1 year.
Optimize the database.

Whilst there are no limits imposed in our software for how long data should persist, without using the Database Cleanup tools, data will persist indefinitely.

An organization may have a requirement for client and invoice data to be kept for a specific period of time, but it’s unlikely that most organizations will need to keep such information indefinitely.

This is where the cleanup tools in MIDAS become useful.

Performing routine cleanups of very old and obsolete data in your MIDAS help keep your system running efficiently.

Tags: database tools, v4.36

Permalink