search

marcosdiez / shareviahttp

Share Via Http - Android
Other
175 stars 37 forks source link

support HTTP basic auth #35

Open calestyo opened 7 years ago

calestyo commented 7 years ago

This makes especially sense in combination with #34 and when one allows to disable http (i.e. non-TLS access) completely:

Support HTTP basic auth,... with TLS that would give proper access control to the shared files, so no eavesdroppers on the WiFi can access the files.

That would include:

Cheers, Chris.

marcosdiez commented 7 years ago

basic HTTP auth could be done. TLS.... not really. How would I get a valid certificate ? For I see no point in invalid certificates. Or am I missing something ? Making the user upload a valid SSL certificate would make the app almost unusable. And using let's encrypt would not be an option either, for the phones are usually under firewalls. Let's encrypt + dns would also be a pain, because it would not be automatic unless somebody inputed the AWS credentials (or whichever proviter they want)

calestyo commented 7 years ago

Well as I've said, one would need a self signed cert... not sure how easy this would be to generate on android,... it's a simple one-liner on command line with e.g. openssl.

By displaying the cert DN and fingerprint in the app's main view (when the share is done), the user can use these to check what his browser shows to verify whether there is no man-in-the-middle attack going on. But even if he doesn't, there's the security-obscurity and TOFU (trust on first use) gain in terms of security.

Further I haven't said that this is a feature for the windows end user... it's rather something advanced for people who want the extra security. That also applies to the option to upload one's own cert... it would be really something for the geeks amongst us ;-)

I don't think lets encrypt would work anyway...

calestyo commented 7 years ago

btw: Why closing it, if you think at least basic auth could be done? :-)