search

mirobot / mirobot-ui

The web application that is used to control Mirobot (http://mirobot.io)
GNU General Public License v2.0
16 stars 14 forks source link

"show password" security hole? #7

Closed forresto closed 9 years ago

forresto commented 10 years ago

Is it a security hole to have the mirobot network (open) have the config for my private network with "show password?"

bjpirt commented 10 years ago

That's a good point, the "show password" feature (which came directly from the stock admin web pages - needs re-working) does probably needlessly show it. I imagine this is also a pain if you've set it up for students to use and they all start using your WiFi network because they find your password.

I'll make it so it doesn't send your password back out and doesn't send the POST variable if you haven't changed it I think.

There's not a lot we can do about the initial point of configuring the network over an unencrypted connection and I don't really want to make the WiFI network closed by default (though this could be an option for the future, then you could close it and configure it)

bjpirt commented 9 years ago

I've just pushed an update which should allow you to join your network more securely. You can now enable encryption on the built-in access point so when you configure it to join your network it will no longer be on an unencrypted connection.

I've also removed the "show password" feature, though still need to make it not send the password out and then only send it if it has changed.