Latest News: MIDAS v4.25 Now Available | COVID-19 Support

Posts Tagged: security

Security Enhancements in v4.25

Security is our number one priority here at MIDAS. We constantly strive to ensure our software remains secure, and provide users with a range of tools to help keep their MIDAS accounts and data secure.

We’re further enhancing security in MIDAS v4.25 and introducing a new admin setting.

New & Unfamiliar Login Notifications

A new “Alert users upon logins from unfamiliar devices” setting is located under MIDAS Admin Options → Manage MIDAS → Security.

With this setting enabled, a user account logged into from unfamiliar an browser/device, will trigger an automated email notification to the account holder.

Email Notification alerting user to an unfamiliar login to their account
Email Notification alerting user to an unfamiliar login to their account

This email notification is customizable through a template via MIDAS Admin Options → Manage MIDAS → Templates. The default notification provides details of the browser, operating system, and IP address of the new login. It advises that the notification can be safely ignored if the new login was genuine, or what to do if the user doesn’t recognize the login.

Obviously for these email notifications to be sent, your MIDAS system must be correctly configured for sending email.

Other “Under The Hood” Security Enhancements

You’ll often see “Security Enhancement” in the changelog for our MIDAS software. This is nothing to worry about, and it’s part of our pro-active approach to security.

We routinely make small changes to improve and “harden” our software against a variety of threats.

One of the security enhancements we’ve made in v4.25 is to drop usage of the “Math::Random::Secure” Perl module. Perl – the language that we develop our software in – is capable of natively generating random numbers. MIDAS uses random numbers for a variety of things, including password generation and unique session tokens. However, random numbers natively generated by Perl are not “cryptographically secure”. As such, we’ve been utilizing the “Math::Random::Secure” module to ensure that random numbers generated by MIDAS were cryptographically secure.

The developers of “Math::Random::Secure” haven’t updated it in over three years. Whilst the module still functions, it depends upon another module (Crypt::Random::Secure), which itself depends upon another module (Any::Moose) which has since been deprecated.

So for this reason, and also for performance reasons, MIDAS v4.25 now defaults to using Crypt::PRNG instead. If this Perl module isn’t available on your server, MIDAS will simply revert back to Perl’s native random number generator. However, it’s really easy to install Perl modules, and so for enhanced security we’d recommend installing Crypt::PRNG.

Dropping TLS 1.1 support for cloud-hosted customers

TLS stands for “Transport Layer Security” and is a mechanism used to facilitate secure connections and communications over the internet. To date, there have been three versions of TLS, each more secure than the last. The latest version of TLS is 1.3. The original TLS 1.0 version is considered “weak”, and no longer supported by modern browsers. We previously dropped support for TLS 1.0 on our servers back in July 2017.

To coincide with the release of MIDAS v4.25, we’ll be dropping support for TLS 1.1 connections to our client servers. Our client servers will continue to support both TLS 1.2 and TLS 1.3 secure connections.

Dropping TLS 1.1 support should have no noticeable impact for regular users of MIDAS. We’ve already dropped TLS 1.1 support on our website. If you’re reading this post, then you’ll still be able to access your hosted MIDAS system once TLS 1.1 support is dropped.

However, if you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API then you may need to take action. Please ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.2/1.3 connections.

If your applications/programming languages do not support at least TLS 1.2, your MIDAS API calls will begin to fail once we disable TLS 1.1 support.

Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.2/1.3, or for assistance enabling such support in your development environment. This doesn’t affect API users interfacing with a self hosted MIDAS system.


These are just a few of the new and improved features for MIDAS v4.25. Please see this post for details of other new features you’ll find in v4.25.

Reddit You can also ask questions and discuss the new features of v4.25 over on Reddit.

We’re improving and simplifying the password reset process for MIDAS v4.19.

Due to the secure way passwords are stored by MIDAS, it’s not possible to “recover” a forgotten password, the only option is to request a password reset.

In the past, this process has been as follows:

  1. User clicks the “Forgot Your Password?” link on their MIDAS login screen
  2. The user then enters their email address and clicks “Reset My Password”
  3. MIDAS then emails the user with a reset confirmation link
  4. The user clicks the reset confirmation link
  5. MIDAS emails the user a new temporary password (which they’re required to change upon their next login)

We’re simplifying this process and so from v4.19 the process will instead be as follows:

  1. User clicks the “Forgot Your Password?” link on their MIDAS login screen
  2. The user then enters their email address and clicks “Reset My Password”
  3. MIDAS then emails the user with a temporary login link
  4. The user clicks the temporary login link and is prompted to enter a new password after which the user is logged in

This simplified password reset process removes the sending on two emails to users (a reset link followed by a temporary password), as just a single email will be sent. This also strengthens security as a temporary password is no longer sent via email.

This improved flow also addresses the issue of multiple password reset attempts and emails arriving out-of-order. For instance, take the following scenario:

  1. User initiates a password reset, receives an email with a reset link and clicks it
  2. Whilst the user is waiting for a new temporary password to be sent to them, the initiate a further password reset and click the reset link in that corresponding email
  3. The original temporary password email arrives, and the user attempts to use the temporary password. However, as they since initiated a second password reset request, the first temporary password is no longer valid

This caused confusion for a handful of users who’d attempted to reset their password several times within a matter of minutes couldn’t understand why the temporary password they received wasn’t being accepted.

The improved password reset flow for MIDAS v4.19 completely eliminates this. Even if a user initiates multiple password reset requests the links they receive via email will all permit the user to set a new password, until they have done so.

We’re sure these improvements will make it easier and stress free for users to reset their own passwords.

Along with these changes, administrators can also still specify how long password reset links are valid for (the default is 2 hours). This setting may be found via MIDAS Admin Options → Manage MIDAS → Security. For more information, please refer to the help documentation.

Of course, if a user isn’t able to reset their own password, any other administrative user who has been granted the “Can Manage Users & Permissions” user permission can reset a user password on their behalf.

Click here to continue reading about some of the other new & improved features coming in MIDAS v4.19!

Let's EncryptDuring the course of May we’ve been migrating our domain’s security certificates from ones issued by GlobalSign to ones issued instead by Let’s Encrypt.

What Is A Security Certificate?

In essence, a security certificate is what allows you to connect to a website over a secure https connection (instead of traditional, insecure, http). A valid and strong security certificate is what ensures that the connection and traffic between your web browser and the website/service you’re using is encrypted.

What Is A Certificate Authority?

Put simply, a “Certificate Authority” (or CA for short) is an organization responsible for issuing and revoking security certificates for websites. Popular CA’s include Comodo, Symantec, GoDaddy, and GlobalSign to name but a few.

Which Domains Are Affected?

All mid.as domains and *.mid.as sub domains (including our cloud-hosted customer’s domains)

Why Is This Happening?

Our security certificates were due for renewal in June, and as part of our continuous commitment to provide visitors to our site and customers alike with the best possible experience, we took the opportunity to review who provides our security certificates. Let’s Encrypt provide HTTPS certificates to over 70 million domains, and switching to certificates issued by Let’s Encrypt allows us to simplify and automate the management of security certificates across our growing MIDAS network.

Will I Notice Anything Different?

In short, no!

In order to migrate our CA from GlobalSign to Let’s Encrypt, we needed to remove the previous GlobalSign (AlphaSSL) certificate from each *.mid.as domain and install a new Let’s Encrypt certificate in its place. We have being doing this in a phased transition for all *.mid.as domains during the course of May, and we’re pleased to report that this transition to Let’s Encrypt is now fully completed.

Here’s how the old and new certificate issuers now look for our *.mid.as domains:

CA Migration to Let's Encrypt

We’d also like to reassure hosted customers that no domains, URLs, or IP addresses have changed as a result of this CA migration.

If you experience any issues or have any concerns, please don’t hesitate to reach out to us and we’ll be happy to help!

A note for cloud-hosted API users

Whilst unlikely, depending upon your code and development platform/language, you may initially receive a certificate warning/error when mmaking API calls now that the security certificate for your dedicated *.mid.as subdomain has changed, which may prevent your code/app from working temporarily until you accept the new security certificate.

Also, in some rare cases, you may not be able to access the API if your platform/device is listed as incompatible in Let’s Encrypt’s certificate compatibility list.

Finally, please be aware that Let’s Encrypt issues auto-renewing certificates which are valid for fixed periods of 90 days.

Disabling TLS 1.0 in early 2017

TLS stands for “Transport Layer Security” and is a cryptographic mechanism used to facilitate secure connections and communications over the internet. Several incarnations of the TLS protocol have been developed over the years (1.0, 1.1, and 1.2), with 1.0 being the oldest and now approaching the ripe old age of 18!

TLS 1.0 is now considered a “legacy protocol” and “weak” by today’s cryptographic standards, as it is susceptible to several vulnerabilities. Modern web browsers automatically default to preferring TLS 1.2 or TLS 1.1 over legacy TLS 1.0 connections, however some older browsers do not support the more modern and secure TLS 1.1/1.2 protocols.

As part of our ongoing commitment to security, in early 2017 we intend to drop support for legacy TLS 1.0 connections to our client servers. The vast majority of users will be unaffected by this change, but if you’re using an older web browser/operating system, you may need to update.

The minimum browser requirements for MIDAS v4.14 (and later) have also been updated accordingly.

The following table of web browsers provides additional guidance as to any action you may need to take to ensure you can continue to access our site/your hosted MIDAS system in 2017:

Browser Version Comments
Microsoft Internet Explorer 11 OK (If you see the “Stronger security is required” error message, you may need to turn off the “Use TLS 1.0” setting via Internet Options → Advanced)
9-10 OK (When running Windows 7 or newer, however you’ll need to enable TLS 1.1 and TLS 1.2 in Internet Explorer by selecting the “Use TLS 1.1” and “Use TLS 1.2” boxes via Internet Options → Advanced)
Upgrade Required (Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2 – Please update your operating system)
8 (or lower) Please update to a more recent version of Internet Explorer
Microsoft Edge All Versions OK – No action required
Mozilla Firefox 27+ OK – No action required
23-26 OK (Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2)
22 (or lower) Please update to a more recent version of Firefox
Google Chrome (Desktop) 38+ OK – No action required
22-37 OK – No action required (Provided you’re running Windows XP SP3, Vista, or newer, OS X 10.6 (Snow Leopard) or newer)
21 (or lower) Please update to a more recent version of Chrome
Google Chrome (Mobile) Android 5.0+ (Lollipop) OK – No action required
Android 4.4.x (KitKat) Device Dependent (Some Android 4.4.x devices may not support TLS 1.1 or higher. Please refer to your device manufacturer if unsure)
Android 4.3 (Jelly Bean) (or lower) Please update to a more recent version of Android
Apple Safari (Desktop) 7+ OK – No action required
6 (or lower) Please update to a more recent version of Safari
Apple Safari (iOS) iOS 5+ OK – No action required
iOS 4 (or lower) Please update to a more recent version of iOS

Important Information For Hosted API users:

If you’re a cloud-hosted MIDAS customer utilizing the optional MIDAS API, please ensure that your applications and the underlying programming language you develop in can support (and are correctly configured for) TLS 1.1/1.2 connections. For instance Java 6 (1.6) (and lower) and .NET 3.5 (and lower) languages don’t support TLS 1.1/1.2.
If your applications/programming languages do not support at least TLS 1.1, your MIDAS API calls will begin to fail in early 2017 once we disable TLS 1.0.
Please refer to the vendor of your programming language if you’re unsure whether it supports TLS 1.1/1.2, or for assistance enabling such support in your development environment.

UPDATE: 1st April 2017

In advance of dropping TLS 1.0 support across our entire network this year, we’ve initially dropped TLS 1.0 support on our dedicated Service Status site. If you’re not sure whether or not you’ll still be able to access your hosted MIDAS system once TLS 1.0 support is dropped in the near future, please visit https://midas.network. If you’re able to visit this site without issue, then you’ll still be able to access MIDAS going forward.

UPDATE: 1st July 2017

As of today, our servers no longer accept TLS 1.0 connections. If you’re unable to access our site/a hosted MIDAS system, please upgrade your web browser.