ImageMagic Security Hole Fixed

A security hole was reported in ImageMagic, a tool that many websites including RunSignUp use for image resizing and processing. We learned of this issue yesterday and have updated the site with fixes last night. We did not detect any breaches as a result of this hole.

You can read more here and here. If you know of other sites that do image processing, make sure they know of this issue.

Secure Information Option

We have added the ability to collect Social Security Number, Drivers License and Passport as highly secure options to race registration. This was done at the request of a race held on a military base, but may be useful for other purposes as well (such as border crossing races that might require Passport numbers).

The data is stored in our database using 4096-bit RSA encryption.  We generate a “Private Key” for the race – it is the only key that will unlock the data. This means that no one else, including the administrators of the database at RunSignUp, can decrypt the data. If the race loses the key, the data cannot be decrypted and is lost forever.

The setup is under Race > Registration > Sensitive Information Collection.  Only RunSignUp can enable this feature for races.

Screen Shot 2016-01-13 at 10.06.42 AM.png

Once enabled, the race must set up their private key:

Screen Shot 2016-01-13 at 10.08.02 AM.png

Once the private key is set up, the following form will show.  NOTE – THIS IS THE ONLY TIME YOU WILL SEE THE PRIVATE KEY. You need to copy it into a secure place – we recommend a password protected document. THIS IS THE ONLY KEY THAT WILL UNLOCK THE DATA!

Screen Shot 2016-01-13 at 10.08.59 AM.png

Once you copy the Private Key and close the pop-up, you will then select which data elements you want to ask for from registrants on a per event basis:

Screen Shot 2016-01-13 at 11.04.06 AM.png

What Participants See

Participants are asked for the data when they register. The Social Security number is validated as a 9 digit number. The fields are set as required and must be filled in.

Screen Shot 2016-01-13 at 11.05.57 AM.png

Downloading Data

The “Download Participant Data” button downloads all data.  The user will see this popup, where they will need to enter their private key – yes that long string of numbers and characters. If filled in properly, then you will get a CSV spreadsheet download of the data. Make sure you properly protect this file and the data, as it is your responsibility.

One of the ways that you can keep this secure is to grant access to just this page for the Security Agent who is assigned to review the data. Then give them the Private key for them to download the data and do the background checks.

There is the ability to reset the private key. If the private key is reset, all previous data is lost – you will NOT be able to go back and retrieve any of the previous data.

HTTPS Improvements

HTTPS Security AuditThere was an recent article “HTTPS-crippling attack threatens tens of thousands of Web and mail servers” that caused us to evaluate our configuration and up our encryption to 2048-bit. This had been lower to support older browsers and and versions of Java – if you find any issues of the site not working please let us know.

Qualys has a nice free audit tool that will check any website – the results above are from that test. You can test any website. Older websites, or companies that do not invest much in technology may have low scores. This is another advantage of using RunSignUp so that your runner’s information stays secure using the latest technology.

SSL and Widgets

SSL WarningIf you are running a widget on your website, we strongly suggest that you make sure your site has an SSL certificate and the pages with RunSignUp widgets are https://mywebsite.com format – with the “s” after “http”.

In fact, even sites that do not have ssl certificates are safe since the RunSignUp widget uses SSL and the data being transferred from a runner’s registration widget in their browser is being transferred with TLS (the newer form of SSL) and is encrypted.

SSL WarningThe reason to have your site use SSL is two fold:

  • It is a good practice. All websites should use SSL.
  • Some browsers will show Error and Caution messages like the one above or to the right. Even though it is secure, they will think it is not.

You can get an SSL certificate from many different vendors (Google “buy ssl” and you will see plenty of ads!). GoDaddy is a well known one and has good information on their SSL Page – https://www.godaddy.com/ssl/ssl-certificates.aspx. It typically costs less than $60 per year and will require you to make some webserver configuration changes described on the GoDaddy pages as well as your webhost. There is a new low cost SSL certificate authority that will be coming out in  mid-2015 that some in the tech community are excited about – https://letsencrypt.org.