1. John Van Der Loo
  2. CorrectHorseBatteryStaple
  3. Issues
Issue #1 new

HTTPS cert not valid

Marnick L'Eau
created an issue

When trying to use https to access the site, the following warning is displayed: vivaldi_2016-06-09_22-56-40.png

tl, dr: the cert applies to *.accountservergroup.com, not correcthorsebatterystaple.net

Given the function of the site, I'd say this is a fairly important thing to remedy :)

An easy solution I can recommend from experience is letsencrypt

Perhaps the site should also automatically switch to https when accessed via http. Https-by-default is a concept I very much support for obvious reasons, especially in cases like this

Comments (7)

  1. John Van Der Loo repo owner

    Hi Marnick L'Eau,

    Thanks for your issue report, I'd like to note firstly that once the site has loaded there is no further communication between the client and server when passwords are generated, i.e. all passwords are generated using JavaScript on the client, and at no point are passwords transmitted over the network.

    I can however see the value of having a valid certificate for the site as it would put the more security conscious at ease, I'll look in to seeing if this is something I can easily accomplish on my current host in due course :-)

  2. FSMaxB

    It is not only for the security conscious. The problems is what happens once the page loads the first time. Let's say you're in an open WIFI, withouth SSL, a man in the middle could intercept the first pageload and replace it with a version that sends your passwords to the attacker or, let's say only generates a much maller set of easy to guess passwords rather than the full range (wordlist with 10 words for example).

  3. John Van Der Loo repo owner

    Marnick L'Eau: I haven't had the time to look at this yet. Rest assured it's on my radar and as soon as I get a chance I will look at it.

    I agree with both you and FSMaxB that there is a risk of a MITM; though keep in mind that the attack vector would then need to be specifically targeted and more complex as well, and an attacker doesn't necessarily know if/when/where a generated password is used, but let's say for argument's sake that it's a possibility :-)

    I may have some time on one of the coming weekends to look in to this (fingers crossed).

  4. Log in to comment