Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-102295

Do not use HTTP URLs when using HTTPS

    XMLWordPrintable

    Details

      Description

      To replicate
      FreeNAS webui setup for HTTPS only:
          System General: Protocol = HTTPS
          System General: WebGUI HTTP -> HTTPS Redirect = unchecked
      Create a pool.  Add a recovery password.
      Go to Storage->Pool click on the lock symbol and select "Download Encryption Key"

      expected behavior:

      key is downloaded securely via https [same protocol that the web ui was connected to as]

      actual behavior: link is ALWAYS sent as HTTP url:
      http://[FREENAS_IP]/_download/43?auth_token=[AUTHKEY HERE]

      If you have disabled HTTP and HTTP TO HTTPS redirect...this means the download url is invalid (no http server listening on port 80).
      Work around is to manually edit the url and add "https:" in the address bar and press enter.

      Even though FreeNAS is not listening on port 80, the request with the auth-key download was still sent in the clear.  A man in the middle could potentially use this to download the key by modifying the link to https. I was able to paste the https version of the url into a new incognito chrome window and download the key.  I.e. There is a very very small window but an unauthenticated user who is man in the middle can download an encryption key before you can.

      Note, if you have enabled HTTP and HTTPS as protocols (but only use the webui as https and don't have http->https redirect)...then all your key downloads are sent in the clear via http even if you only use the web ui with https.  Easier man in the middle grabbing.

      So ranging from bug unable to download recovery key...to downloading keys in the clear depending on http/https config.

       

       

        Attachments

          Attachments

            JEditor

              Activity

                People

                Assignee:
                erin Erin Clark
                Reporter:
                JEBjames James
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: