Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed input type for password fields from 'text' to 'password' #128

Open
wants to merge 1 commit into
base: master
from

Conversation

@hb9fxq
Copy link
Contributor

@hb9fxq hb9fxq commented Nov 5, 2017

No description provided.

@jks-prv
Copy link
Owner

@jks-prv jks-prv commented Nov 6, 2017

I'm not sure I want to do this (yet). With this change Firefox will complain that sending a password is not secure because https is not being used. This is correct, but I will get emails and forum posts asking what has changed. And I don't really want the extra support burden at this point. I have to answer too many emails each morning as it is.

The real issue is that admin connections should probably upgrade to https. But I have never understood how the whole certificate mechanism works and whether it can be done at a low cost for small companies like us who cannot afford to spend thousands of dollars per year on certificate registration (my knowledge about this is likely very out-of-date).

@hb9fxq
Copy link
Contributor Author

@hb9fxq hb9fxq commented Nov 6, 2017

We can talk about the self signed certificates via email or so, nobody is going to spend a cent for that :-)

The warning is ok. Accept it as it is -> But, showing the Kiwi at a conference on a beamer, or even on road.... I'd say it is enough that the password is not encrypted on the wire but you should not also present it on the screen....

@jks-prv
Copy link
Owner

@jks-prv jks-prv commented Nov 6, 2017

Yes, I agree. Please email me directly at support@kiwisdr.com to discuss. And please excuse my lack of knowledge about security best practices. I am learning about a lot of these topics for the very first time with this project and of course I'm always in a huge hurry to get things done. Things like quality and security unfortunately suffer as a result.

I also thought it would be good to include the typical checkbox that says "show password" for those folks (like me, lol) who have trouble typing blind sometimes.

@jks-prv jks-prv added the enhancement label Nov 6, 2017
@herrfeuer
Copy link

@herrfeuer herrfeuer commented Nov 21, 2017

Aehm, Sorry Sir, but this is a Security Issue not an enhancement.

We can discuss about Letsencrypt integration, this would be a enhancement.

@jks-prv
Copy link
Owner

@jks-prv jks-prv commented Nov 21, 2017

Well sure, I'm happy to make a new label called "security" instead of reusing the enhancement label if that would make you happy.

The only reason this hasn't been changed yet is because you will get a nasty message from the browser (Firefox at least) saying a form submit with type=password over a non-https connection is insecure (which it is!) But there are some complications here. The submit isn't directly going over the wire as http. It's going to javascript via an onsubmit=. So the type=password is really just a way to get opaque character entry in the input field. But to use it the entire Kiwi connection would have to be https. And that means the pain of dealing with certs etc. I have never done any of that and there would be a learning curve.

There are easier ways to get opaque entry. Sure, the https problem needs to be solved eventually. But if you're doing that then there is also the question of data sent on the web sockets. Using secure web sockets has big performance implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.