Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for http #13

Closed
maltefiala opened this issue May 19, 2014 · 10 comments
Closed

Add option for http #13

maltefiala opened this issue May 19, 2014 · 10 comments
Labels
wontfix

Comments

@maltefiala
Copy link
Member

There is a wish for allowing http-Connections: owncloud/notes#45

I propose we implement an option to allow http. This option will be off by default. That is quite a reverse approach to other software and could be misleading. However, it represents aykit's support for more secure software far better.

This issue should be updated when an agreement has been found.
@maltefiala maltefiala mentioned this issue May 19, 2014
Closed
@stefan-niedermann
Copy link

give control to the users means let them do the "wrong" choice, too.
for example, i have an instance on a sharehoster which does not allow a ssl connection. i'd like to use this app, too. i know the riscs, but if i would have the full control, i should be able to do this choice.

@jancborchardt
Copy link

It should not be implemented as an »option«, but rather as a fallback. The flow should be like this:

  1. I put in the address of my ownCloud instance
  2. It shouldn’t matter if I put just the myowncloud.com, or with https:// prepended, or with http://, or with the webdav (remote.php/webdav) appended
  3. https is always tried first (the webdav part is cut since I assume you use the Notes API – people might still put that in because it’ſ needed for WebDAV clients)
  4. it it doesn’t work, theres a popup saying: »The address doesn’t work. Maybe it’s wrong, or SSL is not enabled. We recommend using SSL (https) for a secure connection«.
  5. there should be two options to click: »Change address« and »Use http (not secure)«
  6. Choosing to change the address goes back to step 1 (with the address intact and changeable, not that I need to put it in again!). Choosing http tries http connection
  7. If it works, you proceed to username+password input. Once the auth with that works, the notes list should automatically be loaded and displayed.

@stefan-niedermann
Copy link

Another suggestion based on @jancborchardt:

  1. I put in the address of my ownCloud instance
  2. It shouldn’t matter if I put just the myowncloud.com, or with https:// prepended, or with http://, or with the webdav (remote.php/webdav) appended
  3. https is always tried first (the webdav part is cut since I assume you use the Notes API – people might still put that in because it’ſ needed for WebDAV clients)
  4. it it doesn’t work, theres a popup saying: »The address doesn’t work. Maybe it’s wrong, or SSL is not enabled. We recommend using SSL (https) for a secure connection«. Try http://. If http:// is not available, theres a popup saying "The address doesn't work. Maybe it's wrong". If http:// does work, theres a popup saying "Warning: SSL is not enabled, sending passwords over a unsecure connection is not recommended!" (or so).
  5. there should be a "try-me-i-know-what-i-am-doing"-button ("OK") and a "aargh-you-are-right-i-will-configure-ssl"-Button ("Abort")

@maltefiala
Copy link
Member Author

As our opinions deviate and as I need far more space to explain my point of view, I published a blog post regarding this issue: https://blog.entwicklerbier.org/2014/05/securing-the-internet-of-things-how-about-securing-the-internet-first

@jancborchardt
Copy link

I agree with @stefan-niedermann’s suggestion.

@maltefiala it’s very simple: Many people don’t have the means to add SSL to their ownCloud instance. For whatever reason. As long as they are informed that this is insecure, it should still work. Otherwise you’ll lock a large part of potential users out which have no means of changing the reason anyway.

@maltefiala btw, since Aykit is based in Vienna, you might want to meet up with @Raydiation – he’s the developer of the News and Notes apps (and the Appframework) and based in Vienna as well! :)

@maltefiala
Copy link
Member Author

Connection without SSL will not be tolerated.

@prasinos
Copy link

prasinos commented Jul 7, 2014

@maltefiala Your stance about http/https is laudable, however there are cases where http makes sense (e.g., hosting owncloud on a home server that is accessible only over VPN, with the VPN server at the same machine listening to port 443 to avoid firewalls).
In any case, thanks for the app.

@BernhardPosselt
Copy link

@prasinos even there the HTTPS setup will work ;)

@prasinos
Copy link

prasinos commented Jul 7, 2014

@Raydiation True ;) But, it requires changing the config of the openvpn server to listen to some other port, and the config of the router to redirect 443 to the new port, etc. Not that difficult of course, but it's not that clean either.
Anyway, I didn't want to reopen the issue, I respect maltefiala's decision.

@maltefiala
Copy link
Member Author

@prasinos : The next release allows custom ports. See 826ac09

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@BernhardPosselt @maltefiala @jancborchardt @stefan-niedermann @prasinos