foreclojure-android icon indicating copy to clipboard operation
foreclojure-android copied to clipboard

Published 20 hours ago verified publisher icon alexander-yakushev

Security: Password sent in the clear

Open phirsch opened this issue 9 years ago • 2 comments

In api/login, password and username are sent to the server in plaintext via http (unencrypted).

This could be improved by using https instead to establish a secure channel. Otherwise, please at least let the user know about this fact unmistakably on the login page.

Thanks!

phirsch avatar Sep 06 '15 22:09 phirsch

Hello Pascal,

Thanks for your concern. HTTP is the default mode of communicating with 4clojure in a browser. I'm not even sure if it supported HTTPS back when I developed the initial version of the app. Anyway, it does know, so it makes sense to rewrite the app to work via HTTPS.

Best regards, Alex

On Mon, Sep 7, 2015, 01:12 Pascal Hirsch [email protected] wrote:

In api/login, password and username are sent to the server in plaintext via http (unencrypted).

This could be improved by using https instead to establish a secure channel. Otherwise, please at least let the user know about this fact unmistakably on the login page.

Thanks!

— Reply to this email directly or view it on GitHub https://github.com/alexander-yakushev/foreclojure-android/issues/4.

alexander-yakushev avatar Sep 07 '15 06:09 alexander-yakushev

Hello Alex,

Thank you very much - it would be great to see this happen! And thank you very much for the app, of course!

Regards, Pascal

On 7 September 2015 4:56:53 pm AEST, Alexander Yakushev [email protected] wrote:

Hello Pascal,

Thanks for your concern. HTTP is the default mode of communicating with 4clojure in a browser. I'm not even sure if it supported HTTPS back when I developed the initial version of the app. Anyway, it does know, so it makes sense to rewrite the app to work via HTTPS.

Best regards, Alex

On Mon, Sep 7, 2015, 01:12 Pascal Hirsch [email protected] wrote:

In api/login, password and username are sent to the server in plaintext via http (unencrypted).

This could be improved by using https instead to establish a secure channel. Otherwise, please at least let the user know about this fact unmistakably on the login page.

Thanks!

— Reply to this email directly or view it on GitHub https://github.com/alexander-yakushev/foreclojure-android/issues/4.

Reply to this email directly or view it on GitHub: https://github.com/alexander-yakushev/foreclojure-android/issues/4#issuecomment-138210041

phirsch avatar Sep 07 '15 07:09 phirsch