are cbots encrypted and secure if Ctrader running on a VPS?
are cbots encrypted and secure if Ctrader running on a VPS?
23 Dec 2020, 00:25
Hi!
Does anyone know if your cbots are encrypted or secure from hacking if installing ctrader on a VPS? Like BeeksVps in London?
Replies
EagleMoxy
03 Jan 2021, 13:04
RE:
Thankyou Panagiotis!
Does ctrader automate apply any type of obfuscation? do you think it necessary if hosting on a VPS server? I think those environments provide protection from hackers..
PanagiotisCharalampous said:
Hi EagleMoxy,
If you build your cBot without source code, then the content is encrypted and the source code is not distributed with the .algo file.
Best Regards,
Panagiotis
@EagleMoxy
PanagiotisCharalampous
04 Jan 2021, 09:20
Hi EagleMoxy,
No it doesn't. You obfuscate dll files that can can be decompiled, just to make the life of the perpetrator a bit harder. There is no point to obfuscate encrypted files.
Best Regards,
Panagiotis
@PanagiotisCharalampous
EagleMoxy
07 Jan 2021, 11:02
RE:
ok great so the files are decrypted once I compile them from my source code into the .algo file for the vps. Do I need to install Ctrader on the vps as well or just upload the .algo file?
*( is there a way to get email notifications when a question is answered in the forum?)
PanagiotisCharalampous said:
Hi EagleMoxy,
No it doesn't. You obfuscate dll files that can can be decompiled, just to make the life of the perpetrator a bit harder. There is no point to obfuscate encrypted files.
Best Regards,
Panagiotis
@EagleMoxy
PanagiotisCharalampous
07 Jan 2021, 11:08
Hi EagleMoxy,
Yes you need to install cTrader on the VPS. We will have a look into the notifications issue.
Best Regards,
Panagiotis
@PanagiotisCharalampous
firemyst
07 Jan 2021, 15:14
RE: RE:
EagleMoxy said:
*( is there a way to get email notifications when a question is answered in the forum?)
Yes, there is.
You have to click the "Subscribe" button at the top of the page after you submit your response.
This forum doesn't automatically subscribe you to replies.
@firemyst
EagleMoxy
09 Jan 2021, 15:10
( Updated at: 21 Dec 2023, 09:22 )
RE: RE: RE:
A long time ago I used to get email notifications from "community@ctrader.com" but not since 16th january 2020.
I believe I am subscribed at the moment firemyst,
firemyst said:
EagleMoxy said:
*( is there a way to get email notifications when a question is answered in the forum?)
Yes, there is.
You have to click the "Subscribe" button at the top of the page after you submit your response.
This forum doesn't automatically subscribe you to replies.
@EagleMoxy
prosteel1
09 Jan 2021, 17:25
( Updated at: 09 Jan 2021, 19:39 )
When you have a VPS or dedicated server, the way you connect to it is upto you.
Personally I think the best way is to use a private/public key pair using SSH and I believe this is the standard for securing any server.
I store my private key on an Yubikey from Yubico.com for which I generated a 512 bit RSA key on tails while disconnected from the internet (running off a usb stick) (while wearing a tin foil hat) and then extracted the public key. It took a bit of working out, this is one of the guides I used:
Bascially, the security of your VPS or dedicated server is based on the security you set it up to use. My server has password authentication disabled and only accepts a security card such as an Yubikey, and it only accepts an Yubikey with my Private key on it as it checks it against the public key I uploaded to my server - so only I can access it. There is also a rate limit set. It started out as a standard password login server but I changed the settings and uploaded my public key to the public key folder (I'm an IT guy so I googled how to do this).
When I want to access my server I plug my Yubikey into my pc and open Putty which opens an ssh tunnel to my server. It then authenticates me using my Yubikey that is plugged into a usb port and I just type in a 6 digit code to unlock the Yubikey.
Your security is based on the way you authenticate to your server, not ctrader. You can do public/Private key authentication without an yubikey or similar, I like a hardware device because it travels with me on my car keys :)
Once the SSH Tunnel is made by Putty I use windows remote desktop connecting to local host and the port set in putty Eg. 127.0.0.1:3388 and so the connection from my local pc to my server is encrypted and secure. I have remote desktop disabled for remote connections but since I have a tunnel I have a local connection so I can connect using remote desktop via the tunnel :) I find Remote Desktop to provide the best experience especially for multiple monitor setups, but also in general the quality is great.
I don't think it is acceptable to be sharing a vps with other users, your broker login details could be accessed by anyone else using the same vps or dedicated server. Best to get your own vps and secure it properly as I mentioned above and not let anyone else have access to it.
@prosteel1
firemyst
10 Jan 2021, 11:44
RE:
PanagiotisCharalampous said:
Hi EagleMoxy,
No it doesn't. You obfuscate dll files that can can be decompiled, just to make the life of the perpetrator a bit harder. There is no point to obfuscate encrypted files.
Best Regards,
Panagiotis
Two points for clarification/confirmation @Panagiotis:
1) Spotware hypothetically (more than likely) has the ability to decrypt files as most other brokers that have custom software that encrypts code also has the ability to decrypt it. So any calgo files can be decrypted by Spotware, correct?
2) Are the files also encrypted when compiled from within Visual Studio?
Thank you.
@firemyst
PanagiotisCharalampous
11 Jan 2021, 09:36
Hi firemyst,
1) Yes
2) Yes
Best Regards,
Panagiotis
@PanagiotisCharalampous
firemyst
30 Jan 2022, 14:38
( Updated at: 21 Dec 2023, 09:22 )
RE:
PanagiotisCharalampous said:
Hi firemyst,
1) Yes
2) Yes
Best Regards,
Panagiotis
Is there a way, using the built in Dotfuscator tools that come with Visual Studio, to have the files obfuscated before they are compiled into the encrypted calgo files?
I haven't been successful in finding a way to compile a calgo project to a dll, run through the Dotfuscator, and then have it picked up and encrypted into a calgo file.
I know earlier in this thread you said it's pointless to obfuscate encrypted code, but I do have at least 2 clients who would like the code obfuscated regardless of how much cTrader encrypts.
Thank you.
@firemyst
PanagiotisCharalampous
31 Jan 2022, 08:00
Hi firemyst,
No it is not possible.
Best Regards,
Panagiotis
@PanagiotisCharalampous
PanagiotisCharalampous
23 Dec 2020, 08:22
Hi EagleMoxy,
If you build your cBot without source code, then the content is encrypted and the source code is not distributed with the .algo file.
Best Regards,
Panagiotis
Join us on Telegram
@PanagiotisCharalampous