signalserver integration #242
Conversation
| QNetworkRequest request(ui->signalServerUrl_lineEdit->text() + "/fileuploads/upload/test"); | ||
| request.setRawHeader("Authorization", "Basic " + QByteArray(QString("%1:%2") | ||
| .arg(ui->signalServerLogin_lineEdit->text()) | ||
| .arg(ui->signalServerPassword_lineEdit->text()).toLocal8Bit().toBase64())); |
There was a problem hiding this comment.
As far as I understand, the password is sent in clear text (Authorization: Basic), possibly without secure connection (I see no restriction to HTTPS in signalServerUrl), which is considered as a bad practice nowadays.
The login should be limited to HTTPS or using an algorithm not transmitting the password in clear text and with a nonce (example).
Note: the QCTools server access from anyone not authorized on the same network (between the client and the server) is maybe not a big issue, but there are plenty of infected machines which scan the network and users usually use the same password on other websites, including more sensitive (sometimes personal) content.
There was a problem hiding this comment.
Agree, authorization: basic is not the best way, but that's what backend provides for now.
ElderOrb
force-pushed
the
signalserver
branch
8 times, most recently
from
21e8756
to
d2eb46a
Compare
ElderOrb
force-pushed
the
signalserver
branch
2 times, most recently
from
a63bcd0
to
483481b
Compare
|
Let's get this conflict resolved! |
|
Thanks for the addition of the first-track/all-tracks for video/audio.
Should I (or someone else) add some language to the Help pages about how to use signalserver? Can do within this branch or in another branch post-merging. This is great work, Alexander! (and Yayoi)! |
|
Hmmm, both sides of the conflict appear to be @ElderOrb's work, so leaving the resolve to him. @ablwr, the first/all tracks was added several months ago, mainly because @kieranjol loves processing files with 16 track audio and that really slows everything down substantially, so now there's a first/all choice but it's not part of this PR.
<property name="toolTip">
<string>click on help!</string>
</property>under the associated .
|
|
In the field with the password, can we change it to asterisks instead of the password being fully visible? |
|
I agree with @kellyhaydon, obscured passwords would be preferable. |
|
Additionally the password should be stored securely as well. |
|
What kind of encryption would you prefer? |
|
spammimic. jk, do you have a suggestion for something responsible. |
|
ROT13 – sorry, I cannot resist! I use |
|
For extra security, please apply ROT13 twice. |
|
Taking into account qctools is opensource and anyone can review code and learn how to decrypt password, do we really need strong / complicated encryption here? Or I can just qCompress password ? :) I'm thinking about not introducing 3rd-party dependencies without strong need. Just an idea. |
|
If we speak about security of the password, from my point of view there are 3 separate issues: 1/ do not show the password in the interface: "QLineEdit::setEchoMode(QLineEdit::Password);", so you can share a screen and write your password without showing it. 2/ do not use HTTP for transmission of the password: do it in HTTPS with a strong test of the validity of the certificate, never HTTP and/or HTTPS without test of the certificate. Note that my previous remark about the password in clear text on the network, which is the proposed behavior in the PR, is still valid. So whatever you do on the local machine, I can catch your password with a sniffer on your network until your remove the HTTP stuff... 3/ do not store the password: use an API between the client and the server, and store a token (provided by the server from a login/pass provided once by the user and never saved) provided by this API on the local disk, and only that; also provide an interface on the server for listing tokens and permit to revoke one. With this practice, the password is never stored on the local machine and a machine can be revoked (by revoking the token on the server) if it is no more secure.
Security through obscurity is a placebo, someone wanting to find the password will find it whatever you do, if you decide to store it. As people use to have the same password everywhere (bad practice but the reality), it is important to not store a password even if the project is not important, it may be a security breach for the end user. |
Done. But do we need something like 'show password' (for the case it was forgotten) ?
I don't disagree, but AFAIK at the moment backend provides http-only API. @dericed if you agree that HTTPS is 'must have' - I'll start discussing details with Yayoi.
Are you talking about something like OAuth? Do you have any opensource crossplatform implementations in mind (not requiring C++ 11 and compatible with Qt 4 :) ) ? |
…ent periodical connection check, add connection indicator to status bar
<troll> HTTPS, replacing HTTP, exists for a longer time (1994) than C++11 (2011) and Qt5 (2012), your priorities about "old technologies to kill" are weird (especially here due to the sensitive issue about passwords in clear text on the network), and not mine (my priority is to avoid HTTP for security reasons).
OAuth is a possibility, I guess. |
|
I didn't think about the 'checking' state ... how long do you think that will take? If it's a ping to the server, it shouldn't take very long, right? How about using nothing in the intermediary and I can add something if/when there's a need? |
Under normal conditions (server is up & running, internet connection is fine) it will happen nearly immediately, but when something goes wrong, 'checking' phase might take several seconds. To get better idea what I'm talking about just try to specify wrong IP address for backend and then press 'upload' |
|
Some more details in response of @JeromeMartinez comment : |
|
some minor comments:
|
|
|
also password is still stored in plain text in ~/Library/Preferences/net.mediaarea.QCTools.plist |
|
Thank you for the feedback, will try to resolve this issues later today. |
|
With regards to local password encryption, what do you think about this: https://github.com/roop/qblowfish ? Seems like a good compromise between big advanced library like Crypto++ and ROT13/xor/qCompress :) |
|
In my opinion, Blowfish it’s more than sufficient for QCTools. I didn’t know this Qt implementation: thank you for the information! (The Twofish algorithm would be stronger. If I’m not completely wrong, it’s used in GPG.) |
It still have some sense if one file has been selected. Should I hide it if zero / several files has been selected? |
- store encrypted password in QSettings
| private: | ||
| void updateScrollBar( bool blockSignals = false ); | ||
| bool isPlotZoomable() const; | ||
| void Zoom( bool ); | ||
| void changeFilterSelectorsOrder(QList<std::tuple<int, int> > filtersInfo); | ||
|
|
||
| DraggableChildrenBehaviour* draggableBehaviour; | ||
| SignalServer* signalServer; | ||
| SignalServerConnectionChecker* connectionChecker; | ||
| QWidget* connectionIndicator; |
|
Caveat: I didn’t test it. Reading the code it LGTM. |
The way it is integrated has severe issues:
I prefer to have the password in clear text so we don't forget that the password is not securely stored rather to sweeping this security issue under the carpet. |
|
If you can not modify the server API (this is the preferred method), the only solution for securely store a password is to use the Operating System password manager (OS X keychain, Gnome password manager, KWallet, Windows Credential Store...) which will prevent people from accessing the password without the user "master" password. Note that this does not change the issue about the password sent in clear text on the network (I repeat myself, I know, and I offer no patch, I know, but I prefer that we are 100% clear about this risk in the case the server API is not changed). |
|
Can you add some boilerplate note to say that passwords are stored and transmit in plain text. We could then resolve this before the next release so the issue would only exist in a range of daily builds. |
No description provided.