Can't connect to remote SABnzbd installation over SSL

Hi espen,

thank you for reporting this bug. Right now, it's indeed not possible to securely connect to a remote instance of SABnzbd. When you do that using your web browser, it will most certainly raise a red flag unless you purchased a certificate from a certificate authority. This is because the browser does not trust the certificate.

It would be simple to add a "Use HTTPS" checkbox to the dialog for setting up LottaNZB, but no mechanism of trust would be in-place. This means that even though this would cause the connection to be encrypted, there would be no guarantee whatsoever that LottaNZB is really talking to the SABnzbd instance you set up. Any adversary capable of messing with the routing taking place on the network could trick you into connecting to an instance of SABnzbd set up by him without you knowing, e.g. to perform a man-in-the-middle attack.

Of course, making that change to LottaNZB would at least prevent some network sniffers from gaining any knowledge about what you use SABnzbd for. But I wouldn't feel such comfortable advertising LottaNZB being capable of establishing a secure connection to SABnzbd even though the system has flaws.

Any opinions on this?

Regards,
Severin

You bring up some good points.

I would personally prefer to have it implemented halfway than not at all, maybe with an warning box. This would certainly confuse new users without knowledge of SSL.

I see a couple of solutions:
1. Add a system that autogenerate the SSL cerfiticates, I guess this would require changes both to SABnzbd and LottaNZB.

2. We have one number that is unique in the SABnzbd installation, the API key. It could be a possibility to require the SABnzbd API key when activating HTTPS.

I just committed the following changes to the main branch of LottaNZB:

"Add an invisible configuration option 'https' to 'backend.sessions.remote' that makes it possible to enable SSL encryption for the connection to SABnzbd.

When setting up LottaNZB, if the port is changed to 9090, HTTPS is automatically enabled as it's the default HTTPS port. It's unlikely that a user has changed the default HTTP port from 8080 to 9090. If the port is changed from 9090 to something else, HTTPS is automatically disabled."

There are no modifications to the UI whatsoever for the time being, so there's no risk of confusing novice users. What is achieved through this change is that for the small fraction of users who use HTTPS, LottaNZB will silently use HTTPS instead of confronting them with a message like 'HTTP error code 400'. For those who use a non-standard HTTPS port, it's still possible to manually edit the LottaNZB configuration file, which is fairly easy.

Thats a great solution, thanks for your work :)