Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support HTTP basic auth #35

Open
calestyo opened this issue Aug 2, 2017 · 3 comments
Open

support HTTP basic auth #35

calestyo opened this issue Aug 2, 2017 · 3 comments

Comments

@calestyo
Copy link

calestyo commented Aug 2, 2017

This makes especially sense in combination with #34 and when one allows to disable http (i.e. non-TLS access) completely:

Support HTTP basic auth,... with TLS that would give proper access control to the shared files, so no eavesdroppers on the WiFi can access the files.

That would include:

  • allow users to configure a general default password OR allow them to choose that the app creates a new one for each share
  • allow the user to change/set the password per share (in the main view)
  • allow the user to click somewhere in the main view, to let the password be shown it in (per default it shouln't be displayed)

Cheers,
Chris.
@marcosdiez
Copy link
Owner

basic HTTP auth could be done.
TLS.... not really. How would I get a valid certificate ? For I see no point in invalid certificates.
Or am I missing something ?
Making the user upload a valid SSL certificate would make the app almost unusable.
And using let's encrypt would not be an option either, for the phones are usually under firewalls.
Let's encrypt + dns would also be a pain, because it would not be automatic unless somebody inputed the AWS credentials (or whichever proviter they want)

@marcosdiez marcosdiez mentioned this issue Aug 2, 2017
Closed
@calestyo
Copy link
Author

calestyo commented Aug 2, 2017

Well as I've said, one would need a self signed cert... not sure how easy this would be to generate on android,... it's a simple one-liner on command line with e.g. openssl.

By displaying the cert DN and fingerprint in the app's main view (when the share is done), the user can use these to check what his browser shows to verify whether there is no man-in-the-middle attack going on.
But even if he doesn't, there's the security-obscurity and TOFU (trust on first use) gain in terms of security.

Further I haven't said that this is a feature for the windows end user... it's rather something advanced for people who want the extra security.
That also applies to the option to upload one's own cert... it would be really something for the geeks amongst us ;-)

I don't think lets encrypt would work anyway...

@calestyo
Copy link
Author

calestyo commented Aug 2, 2017

btw: Why closing it, if you think at least basic auth could be done? :-)

This was referenced Aug 11, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcosdiez @calestyo