Support SSL/HTTPS connections

Are you missing a feature? Request it's implementation here.
gchale3rd
Posts: 7

Support SSL/HTTPS connections

Sat Mar 11, 2017 12:08 am

I'm using the Oxygen XML Editor 18.0 to create/edit DITA topics that are hosted on easyDITA. Oxygen is configured to connect to easyDITA using the WebDAV FTP data source. A recent security scan by our company security team revealed that Oxygen is sending clear text passwords to easyDITA. I have read some other posts about this same type of issue, so I wanted to add my name to the list of people who would like to see Oxygen add support for certificate-based client authentication over SSL/HTTPS.

Thanks,

George
adrian
Posts: 2442

Re: Support SSL/HTTPS connections

Mon Mar 13, 2017 12:14 pm

Hi,

A recent security scan by our company security team revealed that Oxygen is sending clear text passwords to easyDITA.
If you're accessing the server via HTTP with basic authentication, then you should know that this is the norm, password is either in clear text (or base64 encoded, if digest is used, but is never encrypted). It's not something that Oxygen does wrong, this is the actual standard for basic authentication for HTTP.
If you are using the server across the Internet and packet sniffing is a concern (clear text password can be exposed), the server should be configured to only accept HTTPS connections. Do note that, for this particular concern, it is sufficient to use HTTPS, preferably with a server-side certificate from a proper authority, with password authentication. In this case the password is also sent within the encrypted SSL connection, so it's no longer subject to packet sniffing.

I have read some other posts about this same type of issue, so I wanted to add my name to the list of people who would like to see Oxygen add support for certificate-based client authentication over SSL/HTTPS.
I've logged another vote for implementing support for HTTPS with certificate-based client authentication and mentioned your concerns on our issue tracking tool.
Until we support certificate-based client authentication in Oxygen, I would recommend using at least HTTPS with password authentication.

Regards,
Adrian
Adrian Buza
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com

Return to “Feature Request”

Who is online

Users browsing this forum: No registered users and 2 guests