Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discourage http basic authentication when not using TLS #1

Open
th4s opened this issue Feb 11, 2021 · 0 comments
Open

Discourage http basic authentication when not using TLS #1

th4s opened this issue Feb 11, 2021 · 0 comments
Labels
good first issue Good for newcomers technical Improvement which does not create new functionality

Comments

@th4s
Copy link
Owner

th4s commented Feb 11, 2021

It is currently possible to inject authorization headers into HTTP requests using Credentials when creating a connector over websocket or http.

This also means it would be possible to use basic authentication over a non-TLS connection. This is not good practice and susceptible to attacks since the password is sent in cleartext.

I feel we should discourage this use and return an error when trying to create a connector not using TLS and attempting to use http basic authentication.

This would include checking if a TLS connection is used AND the credentials are Some(Credentials::Basic(_)) for Connector::websocket and Connector::http and also introduce new error variants accordingly.
@th4s th4s added good first issue Good for newcomers technical Improvement which does not create new functionality labels Feb 11, 2021
@th4s th4s changed the title Discourage Http basic authentication when not using TLS Discourage http basic authentication when not using TLS Feb 11, 2021
PumpkinSeed added a commit to PumpkinSeed/ethane that referenced this issue Mar 31, 2021
@PumpkinSeed
Merge pull request th4s#1 from PumpkinSeed/I7-development-env
800123b 
Setup development environment
PumpkinSeed pushed a commit to PumpkinSeed/ethane that referenced this issue Mar 31, 2021
@PopcornPaws
Merge pull request th4s#1 from PopcornPaws/testing
afb9230 
Added formatter check to github actions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers technical Improvement which does not create new functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@th4s