Open realJustmike opened 8 years ago
Absolutely, wanna do a pull request?
Would we close it in times of HTTPS und free letsencrypt certificates?
I would rather force HTTPS usage per setting in EM, what so you think?
I don't think, closing this is the best idea. Because having an https connection allows an attacker knowing your secret to get the data fetched. Securing it via a pre shared key or a key pair solution is more secure. I will think about it and do a pull request on this, if I find a solution
Additional encryption is more secure. But the attack vector you described, is easily mitigated by employing a proper IP filter in the extension's settings.
I think it would be nice to encrypt the data transferred between monitor and clients based on a pre-shared key in the extension-settings like Xavier Perseguers does in his "Central account management":
https://docs.typo3.org/typo3cms/extensions/causal_accounts/AdministratorManual/InstallingExtension/Index.html