Specifically, the assertion "Synergy should work just fine no matter which protocol is used, you can load the register page via Https just fine and I think all XHR requests are being made to relative urls so it should respect the protocol" isn't quite true because some assets are hard-wired as `http`.
> On Oct 4, 2018, at 1:48 PM, Alvin Thompson <al...@thompsonlogic.com> wrote: > > Unfortunately no. Can someone tweak the page source to load the page assets > securely? It shouldn't be too involved at all. > >> On Oct 3, 2018, at 11:53 PM, Vladimir Riha <vladimir.r...@oracle.com >> <mailto:vladimir.r...@oracle.com>> wrote: >> >> Hi, I'm on a vacation for the next month so it will have to wait I'm afraid. >> Synergy should work just fine no matter which protocol is used, you can load >> the register page via Https just fine and I think all XHR requests are being >> made to relative urls so it should respect the protocol. It is possible that >> some redirect causes change of https to http though. Is this the case? >> >> Thanks, >> Lada >> >> >> >> 4. října 2018 0:25:30 SELČ, "Jiří Kovalský" <jiri.koval...@oracle.com >> <mailto:jiri.koval...@oracle.com>> napsal: >>> Vladimír, >>> >>> do you think this would be an easy fix to keep the secure protocol >>> upon logging in securely? As Alvin pointed out Synergy redirects from >>> https to http for me. >>> >>> Thanks for your answer! >>> >>> -Jirka >>> >>> Dne 3.10.2018 v 20:01 Alvin Thompson napsal(a): >>>> Unfortunately it's not quite such an easy fix. The page itself relies >>> on assets which are also not secure (for example, jquery is loaded over >>> an insecure connection). The page source must be tweaked to load all >>> assets securely and the service it hits to submit the information must >>> be secured (if it isn't already). Then the page can be served over >>> HTTPS. Everything must be secure or nothing is. >>>> >>>>> On Oct 3, 2018, at 1:29 PM, Leo Donahue <donahu...@gmail.com >>>>> <mailto:donahu...@gmail.com>> wrote: >>>>> >>>>> Do you think whoever created the wiki page simply forgot to include >>> https in the url they posted here, on step #3. >>>>> >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_NETBEANS_NetCAT-2B10.0-2BParticipants&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=2C0Rknr0VdjT2muhBycBusrBosI8S2IbYeKRFk5YOFk&e= >>> >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_NETBEANS_NetCAT-2B10.0-2BParticipants&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=2C0Rknr0VdjT2muhBycBusrBosI8S2IbYeKRFk5YOFk&e=> >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_NETBEANS_NetCAT-2B10.0-2BParticipants&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=2C0Rknr0VdjT2muhBycBusrBosI8S2IbYeKRFk5YOFk&e=> >>>>> >>>>> The cert for the domain is good for https >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__netbeans-2Dvm.apache.org&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=_x3q3qTK5RdcQVpzH-i4g8zxXDiMKqFypyA6elloINY&e= >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__netbeans-2Dvm.apache.org_&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=GVMC0xnyxX2VmaOOy7u7WHcaSOgndYYwKNqr3mYYm9w&e=> >>>>> >>>>> It seems like a very short time (3 months) to pay for... >>>>> >>>>> On Wed, Oct 3, 2018, 11:14 Alvin Thompson <al...@thompsonlogic.com >>> <mailto:al...@thompsonlogic.com>> wrote: >>>>> That is not something the filler of the form could or should do; not >>> only does the web service that the form sends this information to need >>> to be secure, but the form itself must be secure. >>>>> >>>>> It's possible that the javascript that the page uses to submit the >>> password (it's an angular.js app) submits to a service secured with >>> HTTPS already, but by that time it's too late. Since the javascript >>> itself was loaded over an insecure connection, it can be modified with >>> a "man in the middle" attack to submit the data somewhere >>> else--therefore it just can't be trusted. >>>>> >>>>> On Wed, Oct 3, 2018 at 11:50 AM Leo Donahue <donahu...@gmail.com >>> <mailto:donahu...@gmail.com>> wrote: >>>>> Can you just change protocol of url to https? >>>>> >>>>> On Wed, Oct 3, 2018, 09:25 Alvin Thompson <al...@thompsonlogic.com >>> <mailto:al...@thompsonlogic.com>> wrote: >>>>> Sorry to be a stickler for this, but the Synergy sign-up page ( >>>>> >>> https://urldefense.proofpoint.com/v2/url?u=http-3A__netbeans-2Dvm.apache.org_synergy_client_app_-23_register&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=mWQUdJG3W154YmEs9jZHEDFyk-nrHEK50ztQAWmBFYA&e= >>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__netbeans-2Dvm.apache.org_synergy_client_app_-23_register&d=DwIFAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8_Pz0x0SKeT5e3IehhQKCbQ2xl3tz40jnCU133NrdP4&m=AOtFKoKXPMlll_r-jRLoGPxCEXD3yLe3upMrT0n4ipE&s=mWQUdJG3W154YmEs9jZHEDFyk-nrHEK50ztQAWmBFYA&e=>) >>> asks you to >>>>> submit a password over an insecure connection. Can this be moved to >>> HTTPS? >>>> >>>> >> >> -- >> Sent from my Android device with K-9 Mail. Please excuse my brevity. >
