github-label-manager
github-label-manager copied to clipboard
destan
"password is safe" Seriously?
This website authenticates to Github api via HTTP Basic Authentication but all api calls are done over SSL so your password is safe. More on Wikipedia. Note that your password is only sent to Github and and sent encrypted.
Seeing the issue here? Hint, the site itself is HTTP: http://www.dorukdestan.com/github-label-manager/ The thing with the weakest link and so. Ref: https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
That just shows me that you seem to favor "coolness" (if having an own domain without HTTPS still counts as cool these days) over the absolute minimum of security. This is pretty much the same as in https://github.com/freshshell/fresh/issues/139.
Please don’t let users in the dark about this and please don’t make such bold statements.
thanks for your concern however that the site doesn't have SSL won't have any effect on ajax requests from the site to https://api.github... or wherever... so calm your tits there :)
please note that the whole app is just a javascript app i.e a front-end-only app, there is no backend on "the site" hence all requests are made to github directly from client's browser.
please take your time to investigate through dev console
Oh boy. ok let me explain:
Why isn’t submitting over HTTPS enough? Why does the page have to be HTTPS?
We get this question a lot, so I thought I would call it out specifically. Although transmitting over HTTPS instead of HTTP does prevent a network eavesdropper from seeing a user’s password, it does not prevent an active MITM attacker from extracting the password from the non-secure HTTP page. As described above, active attackers can MITM an HTTP connection between the server and the user’s computer to change the contents of the webpage. The attacker can take the HTML content that the site attempted to deliver to the user and add javascript to the HTML page that will steal the user’s username and password. The attacker then sends the updated HTML to the user. When the user enters their username and password, it will get sent to both the attacker and the site.
Ref: https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
Oh ok, now I see your point but we have probably different definitions for "safe". Well honestly I can't say you're completely wrong. However while people even sends paypal passwords over https aforementioned concern seems to me a bit of extreme.
By the way AFAIK when there is such MITM attack for a HTTPS connection modern browsers shows invalid certificate errors and request fails for ajax. see
If you are on a computer such that invalid certificates are installed as trusted so that browsers won't complain... then you are screwed anyway... so that shouldn't come as an example.
regarding #7 you're right. At the time I wrote those code I didn't have much time or just lazy don't remember now. However a PR always welcomed here.
My colleague warn me that you mean what if http://www.dorukdestan.com/github-label-manager/ is affected by a MITM so that users won't see original page and the ajax request would be made to somewhere else...
This is way too extreme so I did assume you were talking about github being MITM attacked... ok well surely this app is vulnerable if someone targets some user for MITM for http://www.dorukdestan.com/github-label-manager/ ...
github won't give SSL options for custom domains and my page uses github pages. so basically I can't use SSL there.
Thanks for checking back. I guess my opening description was not as precise as it should have been.
My colleague warn me that you mean what if http://www.dorukdestan.com/github-label-manager/ is affected by a MITM so that users won't see original page and the ajax request would be made to somewhere else...
Yes, that’s it. You could host your website or at least this tool directly on github.io. Ref: https://help.github.com/articles/user-organization-and-project-pages/#project-pages
not the entire site because github won't allow SSL for custom domains but for this tool I could create a project page with SSL. thanks for the heads-up
I wanted to note that it is possible for users to use a Personal Access Token here, instead of their password; then users can revoke the personal access token and thus prevent exploits from attackers who stole their token while the user was using this tool.
Still better to update documentation and (if possible) make site HTTPS.
Although I totally dislike the tone of the previous comments here, I wanted to leave the information that HTTPS is now also possible for custom domains on Github: https://help.github.com/articles/securing-your-github-pages-site-with-https/
My comment is not about the safety of passwords. I just wanted to point out that it seems the site does support HTTPS now, or at least navigating to the HTTPS domain works.
https://www.dorukdestan.com/github-label-manager/
I also have no comment on the safety of passwords, etc... But it does appear that GitHub API is deprecating password access anyway. I got the following when using the tool:
On June 5th, 2020 at 12:21 (UTC) you used a password to access an endpoint through the GitHub API using Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0:
https://api.github.com/repositories/178393777/labels?_=1591359719149
Basic authentication using a password to the API is deprecated and will soon no longer work. Visit https://developer.github.com/changes/2020-02-14-deprecating-password-auth/ for more information around suggested workarounds and removal dates.
