badershs / youtube-upload

Automatically exported from code.google.com/p/youtube-upload
0 stars 0 forks source link

Support: security concern #126

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
= Versions

youtube-upload: 0.7.3
python: 2.7.3
python-gdata: 2.0.18

= Describe the steps (including the command you run) that will reproduce
the problem?

I believe that Youtube-upload do NOT send "Google account password in plain 
text" over the Internet as stated in 
http://webapps.stackexchange.com/a/40521/52958 - but nevertheless I just want 
to be 100% sure. :)

BTW, is it more secure to use API upload instead of pycurl?

Also, IMHO it would be nice to put somewhere in the README info about 
alternative password usage according to r58 + r141:

# Read password from a file
$ cat password | youtube-upload -p - ...

+

# Ask password from user if not provided
$ youtube-upload -e doe@gmail.com ...
$ Password for account <doe@gmail.com>:

Thx!

Original issue reported on code.google.com by m4Ri000 on 11 Nov 2013 at 1:53

GoogleCodeExporter commented 9 years ago
I am pretty sure the auth goes through https. Let's see the ngrep output of a 
login process:

{{{
T 192.168.1.2:33767 -> 173.194.41.212:443 [AP]
T 173.194.41.212:443 -> 192.168.1.2:33767 [A]
T 173.194.41.212:443 -> 192.168.1.2:33767 [A]
T 173.194.41.212:443 -> 192.168.1.2:33767 [AP]
T 192.168.1.2:33767 -> 173.194.41.212:443 [AP]
T 173.194.41.212:443 -> 192.168.1.2:33767 [AP]
T 192.168.1.2:33767 -> 173.194.41.212:443 [AP]
T 192.168.1.2:33767 -> 173.194.41.212:443 [AP]
T 173.194.41.212:443 -> 192.168.1.2:33767 [AP]
T 173.194.41.212:443 -> 192.168.1.2:33767 [AP]
}}}

Also, I've set a fake "https_proxy=" and the login does not work anymore.

> BTW, is it more secure to use API upload instead of pycurl?

I don't understand, are you worried about the privacy of the video data? I 
don't know any other way to upload the video except the API upload and POST 
upload.

> $ cat password | youtube-upload -p - ...

Added to the README.

Thanks for the report.

Original comment by tokland on 18 Nov 2013 at 8:38

GoogleCodeExporter commented 9 years ago
Thanks for the clarifications!

Original comment by m4Ri000 on 18 Nov 2013 at 9:49

GoogleCodeExporter commented 9 years ago

Original comment by tokland on 13 May 2014 at 8:32