Please add new field for URL name "segment"

jacos15 / swiftp

Automatically exported from code.google.com/p/swiftp

GNU General Public License v3.0

0 stars 0 forks source link

Please add new field for URL name "segment" #28

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

The new proxy feature is nice, but I would urge you to consider adding a 
new setup data field that is used to create the proxy URL.  By using the 
username, you are exposing half of the authentication process -- as soon 
as I figure out the URL, I also have the username and all I have to guess 
is the password.

Adding a dedicated field for the URL "name" means that I still have to 
figure out both the username and the password after having discovered the 
URL.

Raan Young

Original issue reported on code.google.com by raans....@gmail.com on 13 Jan 2010 at 6:41

GoogleCodeExporter commented 9 years ago

I don't understand the objection to the current design.

How would an attacker "figure out the URL"? The URL that is shown on the main 
SwiFTP
control screen is just a convenient way of representing "use the FTP protocol 
with
username X to connect to domain name Y." The username is not shown to anyone.

Are you suggesting that the username be hidden on the SwiFTP main screen?

I'm probably misunderstanding your point, but I'd very much like to be 
corrected.

Also, let's keep in mind that FTP is a completely insecure protocol, in that any
attacker who can monitor the TCP streams knows your password and has all the 
data
that's been transmitted.

Cheers,
Dave

Original comment by Dave.Revell@gmail.com on 13 Jan 2010 at 6:51

GoogleCodeExporter commented 9 years ago

(reposting email reply here for completeness)

Perhaps I'm the one who is not understanding -- I assume that the URL listed on 
the 
control screen is the URL I would use to access the device from whereever on 
the 
net.  Isn't it necessary for me to have that full URL to connect?  Are you 
saying 
the URL syntax avoids a username prompt (as the user:pswd@host syntax does)?  
I'll 
admit I haven't actually tried using the proxy connection yet, so maybe I 
missed 
something....

OK, well now I have.  I see that the first part of the URL is, in fact, used 
for the 
username, so it's no less secure than the standard syntax (and like the 
standard can 
include the password), and does not have to be part of the URL if I prefer to 
be 
prompted for it.

I'll withdraw the issue :-)

But I will take this opportunity to say that I miss the ability to log activity 
-- 
that seems to have disappeared?

Raan

Original comment by raans....@gmail.com on 13 Jan 2010 at 4:22

GoogleCodeExporter commented 9 years ago

OK, glad we're on the same page.

I thought the server log was cluttering up the main screen. My purpose in 
including
it was to allow better bug reports, but no one uses it for that purpose. 
Therefore I
axed it. I'll consider putting it back in a future version.

Original comment by Dave.Revell@gmail.com on 13 Jan 2010 at 9:31

Changed state: Invalid

GoogleCodeExporter commented 9 years ago

Maybe you could have a button that brings up a separate page for those who want 
the 
log.  I liked the option of seeing what was going on.

Raan

Original comment by raans....@gmail.com on 14 Jan 2010 at 12:36