- edited description
HTTPS cert not valid
When trying to use https to access the site, the following warning is displayed:
tl, dr: the cert applies to *.accountservergroup.com, not correcthorsebatterystaple.net
Given the function of the site, I'd say this is a fairly important thing to remedy :)
An easy solution I can recommend from experience is letsencrypt
Perhaps the site should also automatically switch to https when accessed via http. Https-by-default is a concept I very much support for obvious reasons, especially in cases like this
Comments (8)
-
Account Deleted reporter -
repo owner Hi @Marnes,
Thanks for your issue report, I'd like to note firstly that once the site has loaded there is no further communication between the client and server when passwords are generated, i.e. all passwords are generated using JavaScript on the client, and at no point are passwords transmitted over the network.
I can however see the value of having a valid certificate for the site as it would put the more security conscious at ease, I'll look in to seeing if this is something I can easily accomplish on my current host in due course :-)
-
It is not only for the security conscious. The problems is what happens once the page loads the first time. Let's say you're in an open WIFI, withouth SSL, a man in the middle could intercept the first pageload and replace it with a version that sends your passwords to the attacker or, let's say only generates a much maller set of easy to guess passwords rather than the full range (wordlist with 10 words for example).
-
Account Deleted reporter @FSMaxB Very true, and that was my main concern too. :) Didn't bother to go into that myself since he said he'd handle it. On that note though....
@jvdl how's it coming along? It's been a while now
-
repo owner @Marnes: I haven't had the time to look at this yet. Rest assured it's on my radar and as soon as I get a chance I will look at it.
I agree with both you and @FSMaxB that there is a risk of a MITM; though keep in mind that the attack vector would then need to be specifically targeted and more complex as well, and an attacker doesn't necessarily know if/when/where a generated password is used, but let's say for argument's sake that it's a possibility :-)
I may have some time on one of the coming weekends to look in to this (fingers crossed).
-
@jvdl Any updates on this? It has been over half a year since this ticket has been updated.
-
-
repo owner - changed status to resolved
So it took me a while to get around to this, but the site finally has a proper SSL cert.
- Log in to comment