Please make certificate password changable, this is a sequrity threat. #164
Comments
|
Vulnerable to what exactly? Can you elaborate? |
|
When the thing called password is constant and publicly known it is a
Definition of Vulnerability, say it would be your email, bank account or
iphone password, will you feel safe?)
чт, 19 нояб. 2020 г. в 13:14, Mathias Lykkegaard Lorenzen <
[email protected]>:
to what exactly? Can you elaborate?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#164 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWHYIIQOFRBE5NFSBYZAKTSQTVXZANCNFSM4T3D2IEA>
.
--
Best regards,
Oleg Jakushkin
Department of Computer Modeling and Multi-Processing Systems
Faculty of Applied Mathematics and Control Processes
Saint-Petersburg State University
|
|
The only vulnerability would be to intercept HTTPS traffic and decrypt it, right? That's all I want to know, or if you see other attack vectors too. That defeats the prime purpose of a certificate indeed, unless you don't really care about the privacy element of HTTPS and just want it for HTTP/2 performance or SEO/usability purposes. Either way, I agree it should be specified clearly in the documentation, and there should be a way to get around it. I'll probably also make it throw a warning. Right now I don't have a lot of time though, but PRs are welcome 😊🙏 |
|
Yep - main attack vector would be to intercept HTTPS traffic and decrypt it on provider or router side (free wifi access points). That is important when: you transfer money, use OpenID to login, furthermore OpenID and banking systems require you to use SSL exactly for "safe" traffic encryption. |
|
@OlegJakushkin very good point. Unfortunately, I do not have time to fix it at the moment. PRs are very welcome! |
Issue:
Stuff like
X509Certificate2(data, nameof(FluffySpoon));with constant passwords makes the system quite vulnerable.Solution:
A. Keep nameof(FluffySpoon) as sane default, yet allow the user to set his own password
B. Make it random\GUID based so that it would change on each automatic update.
The text was updated successfully, but these errors were encountered: