No HTTP / HTTPS redirect support

#1

From the Web GUI, can we get a function to do the following:
a) put a redirect from HTTP to HTTPs in the code (or have an option for this)
b) allow us to shutdown the HTTP port

0 Likes

#2

If you turn on HTTPS the equipment already redirects you from HTTP.

1 Like

#3

You get a 301 moved permanently response from the radio server redirecting your browser to the HTTPS version…

1 Like

#4

Not on the B24 radios.

You can actually POST a clear-text password to the radio Interface before it redirects you to the HTTPS web server.

0 Likes

#5

This is kind of a huge security flaw… if I enable HTTPS, the web server should redirect BEFORE a GET or POST. It does it AFTER a POST of credentials. It’s like the NSA wanted this so they could capture passwords for this equipment.

Here is a screen shot of visiting the HTTP site after enabling HTTPS on the Interface.

I can then POST, it actually logs in for a blink, and then redirects to the HTTPS URL. Where I am then again asked to login. It’s shoddy coding for Security redirects. Do it in the Web Server code, not the UI, as especially not after I’ve already sent the password in the clear to the web server.

Shoddy security is the result- and anyone with a sniffer will capture my device password (of which I can’t put an ACL on- but that’s another ticket).

0 Likes

#6

This issue has been fixed in 2.5.2 beta 4, which should be out soon.

2 Likes

#7

Wow! I’m impressed. I feel like this could have been part of a bug bounty…

0 Likes