Ok I am playing with this, and I have a problem with the way that variables are passed. I have it set up so that everyone uses the username and password for the roster, so that they can update the guild roster whenever they connect. The problem is that the password is shown in clear text on the config page.

All anyone has to do is install this, and they have complete unmitigated access to the administration of my Roster site. I think this is a bad idea.

carlpalmer wrote:I have it set up so that everyone uses the username and password for the roster...

All anyone has to do is install this, and they have complete unmitigated access to the administration of my Roster site. I think this is a bad idea.

Maybe some future version of WoWRoster will support multi users with different access. For the time being I think you should stop allowing them full access to your Roster.

Dear carlpalmer ..

I am no fan of obfuscation. If you wish to suggest obfuscation principles, suggest away, but you will NEVER see obfuscation introduced in jUniUploader.

Security is a SERIOUS thing. Obfuscation is a pathetic attempt at making something look secure.

Let me explain myself.

Any password and username are sent to jUniUploader IN CLEAR TEXT by UniAdmin. You can SEE THE PASSWORD by browsing to this url:

http://my-guild.com/blahblah/uniadmin/interface.php?OPERATION=GETSETTINGSXML

That is your guild's UniAdmin sync url with the query that asks for the settings. Look at its output in your webbrowser, it tells you the password LITERALLY.

If you wish to discuss security, do not come to me, go to Zanix and ask for HTTP authentication and making HTTPS REQUIRED.
Only then, I will considder putting stars on any sort of password in jUniUploader. Currently, it's totally rediculous to try and hide the password. If anything, it will push the WoWRoster devs to become sane and never send passwords on unencrypted streams, accessible by anonymous users.

lhunath that is information that I didn't know. You make a good point, and based on that, I completely see where you are coming from.

robojerk - Well, that would be fantastic, not giving them full access to the roster, but since that password is required when updating the guild roster, this suggestion is useful.

The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.

PleegWat wrote:The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Word.

PleegWat wrote:Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.

Disco!

PleegWat wrote:The data would also be in plaintext in the normal UU's config file, as it probably is in jUU's config file.

Oh, and in 1.8 there's a three-level auth system with guild/officer/admin passes. No full auth but as close as you're likely to get in the 1x line.

Sounds good like a good start. But I still highly recommend HTTPS. Sending passwords in the clear is like making a forum post asking for your roster to be hacked and providing the password for it.

By the way, carlpalmer, I hope I didn't sound personal; I tend to sound a little too offensive when talking about security issues. Naturally I did not intend to direct anything toward you.

This discussion has been had between the devs before. Matt clearly stated he's never gonna support https. The problem with https is that it's still not secure unless you have an officially signed certificate. The cost of those put them outside consideration.