Search
Forum Home | Login
TryingToCustomize
TryingToCustomize
Join Date 03/2017
0

Security: Windowblinds checks for updates and downloads over HTTP

March 31, 2017 4:18:00 PM from Stardock ForumsStardock Forums

Hi again!

You probably know this already, and perhaps you're already taking steps to improve it, but I can see that WindowBlinds makes some of its calls across the internet using HTTP, not HTTPS. In this example, it's checking for updates. I haven't done a full check of the network traffic, but I'd hope the registration and trial pages don't do the same thing. Since most of this website is HTTPS now, it would be surprising.

In addition, the installers for new versions of WindowBlinds come from http://storage.stardock.com which is also insecure. However, interestingly, storage.stardock.com does work over HTTPS if you ask it to, so perhaps consider setting up permanent redirects and HSTS pinning on your site to keep everyone safe. As someone who's dabbled in IIS before, I know this is really easy to configure.

windowblinds
Search this post
Advanced Search
Subscription Options
Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
DXGL
Join Date 02/2003
0
Reply #1 March 31, 2017 10:24:20 PM
from Stardock ForumsStardock Forums

It's only recently that the forum has been delivered via HTTPS; Stardock has been a holdout when it comes to making us enter passwords into insecure HTTP.

In fact, they embedded plaintext HTTP images in the release notice for Windowblinds 10.6 which makes the lock in the browser disappear.

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
DXGL
Join Date 02/2003
0
Reply #2 April 1, 2017 1:49:42 PM
from Stardock ForumsStardock Forums

Stardock's own website Wincustomize (which is linked from WindowBlinds) is also plaintext by default, especially for login.  Clicking Login pops up "Not secure" on the Chrome address bar.

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
Uvah
Join Date 05/2006
+874
Reply #3 April 1, 2017 3:18:40 PM
from WinCustomize ForumsWinCustomize Forums

I just logged out and logged back in using Chrome and it says secure https. I have Chrome's latest update version 57.

Reason for Karma (Optional)
Successfully updated karma reason!

Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.

TryingToCustomize
Neil Banfield
Join Date 04/2001
+1104 sdemployee
Reply #4 April 1, 2017 7:25:18 PM
from Stardock ForumsStardock Forums

Quoting ,
quoting post

Hi again!

You probably know this already, and perhaps you're already taking steps to improve it, but I can see that WindowBlinds makes some of its calls across the internet using HTTP, not HTTPS. In this example, it's checking for updates. I haven't done a full check of the network traffic, but I'd hope the registration and trial pages don't do the same thing. Since most of this website is HTTPS now, it would be surprising.

In addition, the installers for new versions of WindowBlinds come from http://storage.stardock.com which is also insecure. However, interestingly, storage.stardock.com does work over HTTPS if you ask it to, so perhaps consider setting up permanent redirects and HSTS pinning on your site to keep everyone safe. As someone who's dabbled in IIS before, I know this is really easy to configure.


There is no need for the manual version check to be HTTPS.  It is simply a lookup to a single URL which returns a text file.  No secure information is sent either direction.  HTTPS alone offers very little in the way of additional safety over HTTP.

If there is a file found it will check locally what the versions are and then go to a hardcoded location to tell you about the updates, not any URL in the file returned.

The automatic check uses a different system.

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
TryingToCustomize
Join Date 03/2017
0
Reply #5 April 1, 2017 11:38:13 PM
from Stardock ForumsStardock Forums

Quoting Neil Banfield,
reply 4

There is no need for the manual version check to be HTTPS.  It is simply a lookup to a single URL which returns a text file.  No secure information is sent either direction.  HTTPS alone offers very little in the way of additional safety over HTTP.

If there is a file found it will check locally what the versions are and then go to a hardcoded location to tell you about the updates, not any URL in the file returned.

The automatic check uses a different system.

That's somewhat reassuring. Hopefully the code which compares the version numbers is not vulnerable to buffer overruns etc! I'd still recommend updating that at some point as a matter of best practice.

Is there any ETA for making sure downloads are served over HTTPS? That's the biggest risk to end users. It should be as simple as setting up IIS redirects and updating some web pages.

And as BFeely said, it would be great to get that on WinCustomize too. Anywhere that serves downloads or accepts user logins.

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
TryingToCustomize
Join Date 03/2017
0
Reply #6 April 1, 2017 11:41:27 PM
from Stardock ForumsStardock Forums

Oh, as a side note, it's impossible to update avatars on this forum. It requires not only using Flash Player, but also allowing mixed content (HTTP on HTTPS pages). Out of shear curiosity, I did both of these unsafe things to test it out, and it still failed to upload the file (server reported back with error 500).

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
Jafo
Join Date 03/2001
+1846 sdemployee
Reply #7 April 1, 2017 11:53:00 PM
from WinCustomize ForumsWinCustomize Forums

Quoting TryingToCustomize,
reply 6

Oh, as a side note, it's impossible to update avatars on this forum. It requires not only using Flash Player, but also allowing mixed content (HTTP on HTTPS pages). Out of shear curiosity, I did both of these unsafe things to test it out, and it still failed to upload the file (server reported back with error 500).

You're accessing this forum via 'Stardock Forums'.  Stardock's sites [there are MANY] each have a Forum, mostly interlinked but filtering out some sections as 'irrelevances'.  The system is quite complex and extensive and mostly unnoticed by a new user.

One site... Joe User https://forums.joeuser.com/ can and does facilitate Avatar changes [effective on all sites] though as with any net site you'll likely need to clear your browser cache before you see the change...

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
TryingToCustomize
Join Date 03/2017
0
Reply #8 April 2, 2017 12:23:26 AM
from Stardock ForumsStardock Forums

Well, that certainly sounds complicated!

Just to be sure, are you saying I should log into the JoeUser forum with my Stardock credentials?

Reason for Karma (Optional)
Successfully updated karma reason!
TryingToCustomize
TryingToCustomize
Join Date 03/2017
0
Reply #9 April 2, 2017 12:25:33 AM
from Stardock ForumsStardock Forums

Actually, no need. I found that using the Change Avatar feature on the Stardock 'My Account' section seemed to do the trick.

For your reference, the page I was trying to use was here: https://forums.stardock.com/account/images I'm not sure if those pages can be changed or disabled depending on what the underlying forum software is.

Reason for Karma (Optional)
Successfully updated karma reason!
View all recent posts
Mark all posts as read Delete cookies created by the forum Return to Top
Stardock Forums v        Server Load Time:   Page Render Time: