Can't connect to remote SABnzbd installation over SSL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
LottaNZB |
Fix Released
|
Medium
|
Severin H |
Bug Description
When trying to connect to a remote SABnzbd installation that is on a secure connection LottaNZB returns "HTTP error code 400"
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: lottanzb 0.6~bzr1268~
ProcVersionSign
Uname: Linux 2.6.32-
NonfreeKernelMo
Architecture: i386
CrashDB: lottanzb
Date: Wed Jul 14 08:00:50 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
PackageArchitec
ProcEnviron:
LANGUAGE=
LANG=nb_NO.UTF-8
SHELL=/bin/bash
RelatedPackageV
SourcePackage: lottanzb
ThirdParty: True
Changed in lottanzb: | |
status: | Triaged → Fix Committed |
assignee: | LottaNZB Development Team (lottanzb) → Severin Heiniger (lantash) |
Changed in lottanzb: | |
status: | Fix Committed → Fix Released |
Hi espen,
thank you for reporting this bug. Right now, it's indeed not possible to securely connect to a remote instance of SABnzbd. When you do that using your web browser, it will most certainly raise a red flag unless you purchased a certificate from a certificate authority. This is because the browser does not trust the certificate.
It would be simple to add a "Use HTTPS" checkbox to the dialog for setting up LottaNZB, but no mechanism of trust would be in-place. This means that even though this would cause the connection to be encrypted, there would be no guarantee whatsoever that LottaNZB is really talking to the SABnzbd instance you set up. Any adversary capable of messing with the routing taking place on the network could trick you into connecting to an instance of SABnzbd set up by him without you knowing, e.g. to perform a man-in-the-middle attack.
Of course, making that change to LottaNZB would at least prevent some network sniffers from gaining any knowledge about what you use SABnzbd for. But I wouldn't feel such comfortable advertising LottaNZB being capable of establishing a secure connection to SABnzbd even though the system has flaws.
Any opinions on this?
Regards,
Severin