Security is our number one priority here at MIDAS. We constantly strive to ensure our software remains secure, and provide users with a range of tools to help keep their MIDAS accounts and data secure.
We’re further enhancing security in MIDAS v4.25 and introducing a new admin setting.
New & Unfamiliar Login Notifications
A new “Alert users upon logins from unfamiliar devices” setting is located under MIDAS Admin Options → Manage MIDAS → Security.
With this setting enabled, a user account logged into from an unfamiliar browser/device, will trigger an automated email notification to the account holder.
This email notification is customizable through a template via MIDAS Admin Options → Manage MIDAS → Templates. The default notification provides details of the browser, operating system, and IP address of the new login. It advises that the notification can be safely ignored if the new login was genuine, or what to do if the user doesn’t recognize the login.
Obviously for these email notifications to be sent, your MIDAS system must be correctly configured for sending email.
Other “Under The Hood” Security Enhancements
You’ll often see “Security Enhancement” in the changelog for our MIDAS software. This is nothing to worry about, and it’s part of our pro-active approach to security.
We routinely make small changes to improve and “harden” our software against a variety of threats.
One of the security enhancements we’ve made in v4.25 is to drop usage of the “Math::Random::Secure” Perl module. Perl – the language that we develop our software in – is capable of natively generating random numbers. MIDAS uses random numbers for a variety of things, including password generation and unique session tokens. However, random numbers natively generated by Perl are not “cryptographically secure”. As such, we’ve been utilizing the “Math::Random::Secure” module to ensure that random numbers generated by MIDAS were cryptographically secure.
The developers of “Math::Random::Secure” haven’t updated it in over three years. Whilst the module still functions, it depends upon another module (Crypt::Random::Secure), which itself depends upon another module (Any::Moose) which has since been deprecated.
So for this reason, and also for performance reasons, MIDAS v4.25 now defaults to using Crypt::PRNG instead. If this Perl module isn’t available on your server, MIDAS will simply revert back to Perl’s native random number generator. However, it’s really easy to install Perl modules, and so for enhanced security we’d recommend installing Crypt::PRNG.
Dropping TLS 1.1 support for cloud-hosted customers
TLS stands for “Transport Layer Security” and is a mechanism used to facilitate secure connections and communications over the internet. To date, there have been three versions of TLS, each more secure than the last. The latest version of TLS is 1.3. The original TLS 1.0 version is considered “weak”, and no longer supported by modern browsers. We previously dropped support for TLS 1.0 on our servers back in July 2017.
To coincide with the release of MIDAS v4.25, we’ll be dropping support for TLS 1.1 connections to our client servers. Our client servers will continue to support both TLS 1.2 and TLS 1.3 secure connections.
Dropping TLS 1.1 support should have no noticeable impact for regular users of MIDAS. We’ve already dropped TLS 1.1 support on our website. If you’re reading this post, then you’ll still be able to access your hosted MIDAS system once TLS 1.1 support is dropped.
However, if you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API then you may need to take action. Please ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.2/1.3 connections.
If your applications/programming languages do not support at least TLS 1.2, your MIDAS API calls will begin to fail once we disable TLS 1.1 support.
Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.2/1.3, or for assistance enabling such support in your development environment. This doesn’t affect API users interfacing with a self hosted MIDAS system.
These are just a few of the new and improved features for MIDAS v4.25. Please see this post for details of other new features you’ll find in v4.25.
You can also ask questions and discuss the new features of v4.25 over on Reddit.