Closed lfenart closed 2 years ago
lfenart
commented
2 years ago After some tests, https is in fact supported. Maybe it would be useful to warn that the use of an http prefix causes the passwords to be sent in clear text, since it is the default.
Anyway here is the pull request to replace MD5 with SHA256.
jweigelt
commented
2 years ago Thank you for your suggestions :)
I agree that md5 was not the best choice for storing passwords. 7f9aa760f8dcf46f96ae08e9f2b26ce2bdaa54f6 replaces Md5 with PBKDF2.
Standard http is mainly used for simplicity. I believe that most users of this application do not want to generate certficates (or even purchase them). That being said, auto-generating and installing a certificate might be a good idea, though I wouldn't prioritize it at the moment. Using self-signed certificates would also raise the issue of having some browsers block the website.
I will add a note to the readme to indicate that https can be enabled if desired.
lfenart
commented
2 years ago Awesome, thank you!
Hello, I noticed two security issues.
HTTPS is not supported, which causes the login/password to be sent in clear text on every HTTP request.
Passwords are hashed with MD5 before being stored in the database. MD5 is not a secure hashing algorithm, a SHA-2 algorithm (e.g. SHA-256) could be used instead (not the best but easy to implement and better than MD5) and the passwords should ideally be salted before being hashed.
I will try to implement these changes and submit a pull request, hoping you will accept it.