You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Returns: https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the &chl= part you get: otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany
The QR code should be generated server side rather than being passed to a 3rd Party.
The text was updated successfully, but these errors were encountered:
Per a little bit more research it appears GET requests are protected with SSL.
My understanding before was that URLS are not encrypted so it appears this is fine unless the SSL to Google is being stripped. (Which if that happens then you're screwed anyway)
In the documentation it suggests using:
This generates a URL to Google Charts.
Using this URL creates a GET request which allows all of the information to sniffed.
Using:
Returns:
https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FYourCompany%3Aemail%3Fsecret%3DOhHeyThe2faSecret%26issuer%3DYourCompany
If you decode the
&chl=
part you get:otpauth://totp/YourCompany:email?secret=OhHeyThe2faSecret&issuer=YourCompany
The QR code should be generated server side rather than being passed to a 3rd Party.
The text was updated successfully, but these errors were encountered: