New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed input type for password fields from 'text' to 'password' #128

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
3 participants
@krippendorf
Contributor

krippendorf commented Nov 5, 2017

No description provided.

@jks-prv

This comment has been minimized.

Show comment
Hide comment
@jks-prv

jks-prv Nov 6, 2017

Owner

I'm not sure I want to do this (yet). With this change Firefox will complain that sending a password is not secure because https is not being used. This is correct, but I will get emails and forum posts asking what has changed. And I don't really want the extra support burden at this point. I have to answer too many emails each morning as it is.

The real issue is that admin connections should probably upgrade to https. But I have never understood how the whole certificate mechanism works and whether it can be done at a low cost for small companies like us who cannot afford to spend thousands of dollars per year on certificate registration (my knowledge about this is likely very out-of-date).

Owner

jks-prv commented Nov 6, 2017

I'm not sure I want to do this (yet). With this change Firefox will complain that sending a password is not secure because https is not being used. This is correct, but I will get emails and forum posts asking what has changed. And I don't really want the extra support burden at this point. I have to answer too many emails each morning as it is.

The real issue is that admin connections should probably upgrade to https. But I have never understood how the whole certificate mechanism works and whether it can be done at a low cost for small companies like us who cannot afford to spend thousands of dollars per year on certificate registration (my knowledge about this is likely very out-of-date).

@krippendorf

This comment has been minimized.

Show comment
Hide comment
@krippendorf

krippendorf Nov 6, 2017

Contributor

We can talk about the self signed certificates via email or so, nobody is going to spend a cent for that :-)

The warning is ok. Accept it as it is -> But, showing the Kiwi at a conference on a beamer, or even on road.... I'd say it is enough that the password is not encrypted on the wire but you should not also present it on the screen....

Contributor

krippendorf commented Nov 6, 2017

We can talk about the self signed certificates via email or so, nobody is going to spend a cent for that :-)

The warning is ok. Accept it as it is -> But, showing the Kiwi at a conference on a beamer, or even on road.... I'd say it is enough that the password is not encrypted on the wire but you should not also present it on the screen....

@jks-prv

This comment has been minimized.

Show comment
Hide comment
@jks-prv

jks-prv Nov 6, 2017

Owner

Yes, I agree. Please email me directly at support@kiwisdr.com to discuss. And please excuse my lack of knowledge about security best practices. I am learning about a lot of these topics for the very first time with this project and of course I'm always in a huge hurry to get things done. Things like quality and security unfortunately suffer as a result.

I also thought it would be good to include the typical checkbox that says "show password" for those folks (like me, lol) who have trouble typing blind sometimes.

Owner

jks-prv commented Nov 6, 2017

Yes, I agree. Please email me directly at support@kiwisdr.com to discuss. And please excuse my lack of knowledge about security best practices. I am learning about a lot of these topics for the very first time with this project and of course I'm always in a huge hurry to get things done. Things like quality and security unfortunately suffer as a result.

I also thought it would be good to include the typical checkbox that says "show password" for those folks (like me, lol) who have trouble typing blind sometimes.

@jks-prv jks-prv added the enhancement label Nov 6, 2017

@herrfeuer

This comment has been minimized.

Show comment
Hide comment
@herrfeuer

herrfeuer Nov 21, 2017

Aehm, Sorry Sir, but this is a Security Issue not an enhancement.

We can discuss about Letsencrypt integration, this would be a enhancement.

herrfeuer commented Nov 21, 2017

Aehm, Sorry Sir, but this is a Security Issue not an enhancement.

We can discuss about Letsencrypt integration, this would be a enhancement.

@jks-prv

This comment has been minimized.

Show comment
Hide comment
@jks-prv

jks-prv Nov 21, 2017

Owner

Well sure, I'm happy to make a new label called "security" instead of reusing the enhancement label if that would make you happy.

The only reason this hasn't been changed yet is because you will get a nasty message from the browser (Firefox at least) saying a form submit with type=password over a non-https connection is insecure (which it is!) But there are some complications here. The submit isn't directly going over the wire as http. It's going to javascript via an onsubmit=. So the type=password is really just a way to get opaque character entry in the input field. But to use it the entire Kiwi connection would have to be https. And that means the pain of dealing with certs etc. I have never done any of that and there would be a learning curve.

There are easier ways to get opaque entry. Sure, the https problem needs to be solved eventually. But if you're doing that then there is also the question of data sent on the web sockets. Using secure web sockets has big performance implications.

Owner

jks-prv commented Nov 21, 2017

Well sure, I'm happy to make a new label called "security" instead of reusing the enhancement label if that would make you happy.

The only reason this hasn't been changed yet is because you will get a nasty message from the browser (Firefox at least) saying a form submit with type=password over a non-https connection is insecure (which it is!) But there are some complications here. The submit isn't directly going over the wire as http. It's going to javascript via an onsubmit=. So the type=password is really just a way to get opaque character entry in the input field. But to use it the entire Kiwi connection would have to be https. And that means the pain of dealing with certs etc. I have never done any of that and there would be a learning curve.

There are easier ways to get opaque entry. Sure, the https problem needs to be solved eventually. But if you're doing that then there is also the question of data sent on the web sockets. Using secure web sockets has big performance implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment