netbeans-netcat mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alvin Thompson <al...@thompsonlogic.com>
Subject Re: Synergy sign-up is insecure
Date Wed, 03 Oct 2018 18:01:57 GMT
Unfortunately it's not quite such an easy fix. The page itself relies on assets which are also
not secure (for example, jquery is loaded over an insecure connection). The page source must
be tweaked to load all assets securely and the service it hits to submit the information must
be secured (if it isn't already). Then the page can be served over HTTPS. Everything must
be secure or nothing is.

> On Oct 3, 2018, at 1:29 PM, Leo Donahue <donahulf2@gmail.com> wrote:
> 
> Do you think whoever created the wiki page simply forgot to include https in the url
they posted here, on step #3.
> 
> https://cwiki.apache.org/confluence/display/NETBEANS/NetCAT+10.0+Participants <https://cwiki.apache.org/confluence/display/NETBEANS/NetCAT+10.0+Participants>
> 
> The cert for the domain is good for https
> https://netbeans-vm.apache.org <https://netbeans-vm.apache.org/>
> 
> It seems like a very short time (3 months) to pay for...
> 
> On Wed, Oct 3, 2018, 11:14 Alvin Thompson <alvin@thompsonlogic.com <mailto:alvin@thompsonlogic.com>>
wrote:
> That is not something the filler of the form could or should do; not only does the web
service that the form sends this information to need to be secure, but the form itself must
be secure.
> 
> It's possible that the javascript that the page uses to submit the password (it's an
angular.js app) submits to a service secured with HTTPS already, but by that time it's too
late. Since the javascript itself was loaded over an insecure connection, it can be modified
with a "man in the middle" attack to submit the data somewhere else--therefore it just can't
be trusted.
> 
> On Wed, Oct 3, 2018 at 11:50 AM Leo Donahue <donahulf2@gmail.com <mailto:donahulf2@gmail.com>>
wrote:
> Can you just change protocol of url to https?
> 
> On Wed, Oct 3, 2018, 09:25 Alvin Thompson <alvin@thompsonlogic.com <mailto:alvin@thompsonlogic.com>>
wrote:
> Sorry to be a stickler for this, but the Synergy sign-up page (
> http://netbeans-vm.apache.org/synergy/client/app/#/register <http://netbeans-vm.apache.org/synergy/client/app/#/register>)
asks you to
> submit a password over an insecure connection. Can this be moved to HTTPS?


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message