removed default username and password from javascript (or new browser auth)
Miguel Freitas
I do not like it at all. This gives the call of a local html document a higher security priority than the private key which legitimates me for the network. It's a annoying joke. The browser session does not remember user:pwd@URL. It remembers only the URL. This is a useful security feature, but make no sense here. At best, make it an option the user can chose. May be useful for stealable laptops and smart phones.
Please define "higher security priority"...
- "local html document" (static content only, also available from twister-html repository) has no security: no passwords are asked.
- json commands (which allow you to post, read private msgs etc): http authentication required.
So http authentication protects the access to your private key. Why do you think it doesn't make sense?
I'm no coder, so I may be not able to describe things technically correct. Take it with other words. It's too complicated this way. As I wrote, it may be useful as an option for portable devices, but at home I don't want to log in at all and at least with that browser authentication dialog, which looks for me like granting access to a local web page. Of corse, when it protects the private key, than it has a higher priority. Alas when somebody with skills grabs you computer, her will get the key aniway or he will beat all sophisticated passwords with such a simple tool like a wooden stick out of us. There was a cartoon showing that, but I cannot find it again.
Hurray I found it: http://www.explainxkcd.com/wiki/images/3/34/security.png
@RealVegOs I understand your concern, that's the reason i did hardcode those user/pwd values at the first place: i was introducing so many new concepts within twister that another password would just make things more complicated to new users. But I knew it was wrong conceptually, the original Bitcoin code already suggests using secure (random) passwords for RPC communication.
First of all, practical terms about your problem:
- Have you tried bookmarking the page? You might actually have customly to edit the bookmark to store the URL http://user:p...@127.0.0.1:28332 preserving the string as is.
- I've seen you commenting that your browser complains about having user/pwd on a non authenticate required page. well, i'm not sure, but maybe it's is possible to fix that by tweeking some http headers.
Bear in mind that now we have at least some people running twister and following the development, it is easier to tell users about this change (who will also tell other people).
And maybe some of those people are already thinking of packaging twister (like http://www.freshports.org/net-p2p/twister/ ) and having a way to securely use twister-html on a multi-user platform as linux or freebsd requires this.
I've update the instructions on the web site. So hopefully new users will follow the way is written and it will eventually work ;-)
Btw, just an additional comment: I think it is possible to explore packaging strategies for twister as is. @thedod even contributed an automatic password generator (should add this to repo) https://gist.github.com/thedod/10307356 as installer.
Then a package may add a desktop item, decide about starting twisterd as a deamon (or a bundle a "runner script" that checks, starts twisterd, launches browser)
Interesting possibilities to explore (i'm not taking)