edwardrios
I've found a few chunks of information in this forum regarding WebBrain's security, but I'm still unsure about the security of a private brain.

How secure is WebBrain? Is everything encrypted?

Thanks,
Ed
Windows 7
Java 1.7.0_25
TheBrain 8.0.1.4
Quote
mcaton
Ed,

WebBrain synchronization is protected using 128-bit AES Encryption. (The same encryption used by the US government to protect classified information.)

It has a secure upload, storage and download of all data.

Thank you,
Matt
Quote
3railkoen
hi, ok transportation seems secure..

but what about the security of your datacenter itself / user access management controls  / my account panels (which seem not to be on https) / controls you have in place to ensure security / external auditing / security standard you have implemeted such as Cobit or ISO 27000 ? /

Can you expand on these ?

If i want to store sensitive data in my webbrain (private part) is this secure ? And by what standards ?

Thanks

reg koen



Best regards,

Koen
Quote
Tracy
Hi Koen, 
Yes, your data is also physically secure - TheBrain utilizes Amazon Web Services which providing state of the art facilities and security. For more information, see http://aws.amazon.com/articles/1697 
I have also attached our WebBrain Security document which covers in more detail. Tracy
Tracy Barr
TheBrain Technologies
Quote
alesb
Hi,

reading some other posts on security and encryption I decided to ask my clarification question here.

I am convinced that upload (sync) is secured with ssl transport and also I believe that storage is encrypted.

But why the viewing of the private brain is via plain http (no ssl)? I see that login to webbrain is secured, but all other actions are plain, including downloading of the online brain.

I believe that server app wont allow downloading of the brain if user is not properly loged in. But my concern is that properly logged in user downloads brain in plain. And that can be intercepted if not secured.

 Is it possible to enable ssl somehow for at least the private marked brain(s)? And if not already available, is it planned for some near future?
And if the answer to all is no, please explain this in some detail.

Thank you in advance,
A




Quote
mcaton
A,

Thank you for posting.  The SSL functionality you have described is not currently available, however, I will write this up as a feature request for our engineers to review.

Thank you,
Matt 
Quote
MNICHOLS2K
What is the status of providing WebBrain over SSL?  I am concerned that unencrypted downstream traffic from WebBrain can be intercepted and be read as plain text.

Is there an official, consolidated thread for security issues related to WebBrain?

Thank you
Quote
Parkerman
Hi All

For private cloud based Brains, whilst the Cloud logon page is SSL secure via https am I correct in assuming that once a connection is made and a private Brain opened, the internet traffic/data back and forth is completely unencrypted over the internet as it takes place on a basic unencrypted HTTP connection.
 
To quote from Wikipedia today:-
 
 “A site must be completely hosted over HTTPS, without having some of its contents loaded over HTTP, or the user will be vulnerable to some attacks and surveillance.” 
 
and ...
 
”On a site that has sensitive information somewhere on it, every time that site is accessed with HTTP instead of HTTPS, the user and the session will get exposed.”  
 
 
Surely comprehensive SSL connections are essential for private Brain access if there is sensitive information and in order to comply with Data Protection legislation in various countries. Your Press Release on 7 May 2013 refers to "online secure cloud services" which implies the service can be used for sensitive information and if the above is correct does appear to be misleading.
 
If the internet traffic is unencrypted and SSL or HTTPS connections are the only way to properly secure data, either TheBrain team need to make this very clear and transparent to existing users and new customers on the website or to very quickly dig into your pockets and implement SSL connections across all cloud service connections.
 
Whilst I do love TheBrain software and the recent enhancements to Cloud services I will not feel comfortable accessing private Brains containing sensitive information online until this situation is clarified/remedied.

Cheers, Chris


Quote
Parkerman
ps If you think I am worrying too much about security and encrypting internet traffic the following link (re a PwC survey report - whilst arguably exaggerating a bit!) clearly demonstrates escalating IT security breaches in small to large businesses:-
http://www.ion.icaew.com/itcounts/26727
   £1 sterling/UK roughly = $1.50 USA

It appears many businesses already lose money through security breaches and will inevitably look to recover compensation from those (particularly cloud based) who did not properly warn them of "obvious" issues or adopt the latest stringent security policies. Loose and misleading promises of secure sites and data will not be tolerated in future.  Now that TheBrain Cloud Services are taking off there needs to be fully secure access to data online or ONLY public non-sensitive information can be accessed online. Without an SSL connection to an online Private Brain I think there should be a warning on each delivered web page to the effect that the actual connection is not encrypted or secure and caution should be exercised before inputting or viewing sensitive data via such a web page.

Evernote implement full SSL/HTTPS security to their online Notes access even for free users, by way of example and comparison.  TheBrain Combo or paid Cloud Services are not cheap so should warrant comprehensive SSL/HTTPS connections.  This could be an additional selling point to distinguish between free and paid users and encourage upgrading. In the future it may also be necessary to think about encrypted and password protected Thoughts/Notes where sensitive data is held.  The days of relying on volumes of internet traffic as a form of ("drop in the ocean") security are nearly over.
Quote
greenwood
SSL is just the transport, of more interest is how is the "login" (grammer nazi should be "log in")  form protected against xss, and even with ssl do we get a different session id (which is a mute question if it goes back to http), those are A2 and A3 on owasp, I'm also intrested in how CSRF is mitigated (A8)

Quote
rojeras
Hi,

Can you please confirm that this issue is solved.

Regards, rojeras
-----------------------------------
Latest build of PB 8 (if not otherwise noted) on Linux Mint 17 Xfce, Win 8 Professional and Android
Quote
pthompson
Yes, this is resolved. Viewing of Brains online is via HTTPS.
Patrick Thompson
TheBrain Technologies
Quote
rojeras
Great, thanks a lot!
-----------------------------------
Latest build of PB 8 (if not otherwise noted) on Linux Mint 17 Xfce, Win 8 Professional and Android
Quote
mctrexler
I'm dealing with a client who is very concerned about security.  Is there an updated Webbrain Security document that has the latest info.  Tracy uploaded one in 2012, but presumably there is something more recent?

Thanks,

Mark
Quote
pthompson
Here is a link to our security documentation:


TheBrain Cloud Services Access Control and Security Documentation
Patrick Thompson
TheBrain Technologies
Quote

Newsletter Signup  Newsletter Signup        Visit TheBrain Blog   Visit TheBrain Blog       Follow us on Twitter   Follow Us       Like Us on Facebook   Like Us         Circle Us on Google+  Circle Us         Watch Us on Youtube  Watch Us       

TheBrain Mind Map & Mindmapping Software     Download TheBrain Mind Mapping Software