HTTPS access for invites or HTTP only?

Support for your TonidoPlug
DaX
Rookie Tonidoid
Rookie Tonidoid
Posts: 7
Joined: Sat Mar 13, 2010 2:04 pm

HTTPS access for invites or HTTP only?

Postby DaX » Sat Mar 13, 2010 4:33 pm

If I send somebody a link for a folder share, will this person have to use HTTPS to access the content or is it possible to get access via HTTP only? If HTTP access is possible, it's a security problem for confidential files. Can you force HTTPS access?

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: HTTPS access for invites or HTTP only?

Postby madhan » Sat Mar 13, 2010 4:41 pm

1) If you are using relay, you can try https:// prefix to the URL and you should get SSL access. SSL is available through our relay service.

2) If you are not using relay service then you can buy a SSL certificate to get https

DaX
Rookie Tonidoid
Rookie Tonidoid
Posts: 7
Joined: Sat Mar 13, 2010 2:04 pm

Re: HTTPS access for invites or HTTP only?

Postby DaX » Sat Mar 13, 2010 4:58 pm

madhan wrote:1) If you are using relay, you can try https:// prefix to the URL and you should get SSL access. SSL is available through our relay service.


If I understand you correctly, users could still use http to get access. They are not forced to use https?

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: HTTPS access for invites or HTTP only?

Postby madhan » Sat Mar 13, 2010 5:16 pm

Correct. It is their choice.

DaX
Rookie Tonidoid
Rookie Tonidoid
Posts: 7
Joined: Sat Mar 13, 2010 2:04 pm

Re: HTTPS access for invites or HTTP only?

Postby DaX » Sat Mar 13, 2010 5:28 pm

One more question to understand the security concept.

You write on http://www.tonido.com/app_workspace_home.html:
"Data communications between Tonido workspace group members is encrypted by secure algorithms (AES 256). Your communications are completely safe from eavesdropping and tampering."

This seems to apply only if all group members use a TonidoPlug or the Tonido software. But as soon as a user accesses data via weblink (including upload possibility) privacy is not ensured any more?

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: HTTPS access for invites or HTTP only?

Postby madhan » Sat Mar 13, 2010 5:33 pm

True if you they use non-ssl http://.

DaX
Rookie Tonidoid
Rookie Tonidoid
Posts: 7
Joined: Sat Mar 13, 2010 2:04 pm

Re: HTTPS access for invites or HTTP only?

Postby DaX » Sat Mar 13, 2010 5:39 pm

I like the idea of TonidoPlug very much. It would be great if you could plug this "security hole" so that (unexperienced) users would have to use https at all times.

richard42
Rookie Tonidoid
Rookie Tonidoid
Posts: 9
Joined: Thu May 13, 2010 9:05 am

Re: HTTPS access for invites or HTTP only?

Postby richard42 » Sat Sep 11, 2010 7:32 am

It is hard for people to remember typing in https instead of http when access tonido pages. This is risky from a laptop using public wi-fi as the password is show in plain text. Is there a way to configure tonidoplug to check a header or variable to redirect such http request to one that starts https? Otherwise this is a real security risk. I think all bank pages automatically redirect http into https pages.

Thanks for any info.

User avatar
madhan
Admin Tonidoid
Admin Tonidoid
Posts: 8617
Joined: Tue Dec 30, 2008 12:13 am
Location: Austin, TX, USA
Contact:

Re: HTTPS access for invites or HTTP only?

Postby madhan » Mon Sep 13, 2010 12:10 am

We will have to look into this. Using https makes access much much slower, that is the reason why http is used instead of https all the time.


Return to “TonidoPlug Support”

Who is online

Users browsing this forum: No registered users and 9 guests