Page 1 of 1

HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 4:33 pm
by DaX
If I send somebody a link for a folder share, will this person have to use HTTPS to access the content or is it possible to get access via HTTP only? If HTTP access is possible, it's a security problem for confidential files. Can you force HTTPS access?

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 4:41 pm
by madhan
1) If you are using relay, you can try https:// prefix to the URL and you should get SSL access. SSL is available through our relay service.

2) If you are not using relay service then you can buy a SSL certificate to get https

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 4:58 pm
by DaX
madhan wrote:1) If you are using relay, you can try https:// prefix to the URL and you should get SSL access. SSL is available through our relay service.


If I understand you correctly, users could still use http to get access. They are not forced to use https?

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 5:16 pm
by madhan
Correct. It is their choice.

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 5:28 pm
by DaX
One more question to understand the security concept.

You write on http://www.tonido.com/app_workspace_home.html:
"Data communications between Tonido workspace group members is encrypted by secure algorithms (AES 256). Your communications are completely safe from eavesdropping and tampering."

This seems to apply only if all group members use a TonidoPlug or the Tonido software. But as soon as a user accesses data via weblink (including upload possibility) privacy is not ensured any more?

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 5:33 pm
by madhan
True if you they use non-ssl http://.

Re: HTTPS access for invites or HTTP only?

Posted: Sat Mar 13, 2010 5:39 pm
by DaX
I like the idea of TonidoPlug very much. It would be great if you could plug this "security hole" so that (unexperienced) users would have to use https at all times.

Re: HTTPS access for invites or HTTP only?

Posted: Sat Sep 11, 2010 7:32 am
by richard42
It is hard for people to remember typing in https instead of http when access tonido pages. This is risky from a laptop using public wi-fi as the password is show in plain text. Is there a way to configure tonidoplug to check a header or variable to redirect such http request to one that starts https? Otherwise this is a real security risk. I think all bank pages automatically redirect http into https pages.

Thanks for any info.

Re: HTTPS access for invites or HTTP only?

Posted: Mon Sep 13, 2010 12:10 am
by madhan
We will have to look into this. Using https makes access much much slower, that is the reason why http is used instead of https all the time.