Author Topic: Severe security vulnerabilities for Multi Commander  (Read 16584 times)

Andreas17

  • Newbie
  • *
  • Posts: 2
    • View Profile
Severe security vulnerabilities for Multi Commander
« on: May 25, 2020, 07:47:28 »
Hello

The Multi Commander is really a great tool. But unfortunately it's exposed severely for security vulnerabilities
1. Its web page uses still HTTP but not HTTPS. So no user has a chance to prove it by checking the certificate. Man-in-the-middle and many other attacks can not be detected.
2. The application is not digitally signed. A modification of the application by a malicious app cannot be detected.
Neither authentity nor authority can be proven.

Question: Are you really willing to jeopardise your great work by such silly security omissions?
That would be really a bummer.

So please fix that. newbielink:https://letsencrypt.org/ [nonactive] offers certificates free of charge.

Thanks.

Kind regards,
Andreas


Mathias (Author)

  • Administrator
  • VIP Member
  • *****
  • Posts: 4416
    • View Profile
    • Multi Commander
Re: Severe security vulnerabilities for Multi Commander
« Reply #1 on: May 25, 2020, 08:42:41 »
1. HTTP is because of server reasons.
HTTPS does not protect you against "main in the middle" attack, the attacker can also get a cert from letsencrypt so you will not notice.
HTTPS with letsencrypt protect you from somebody listning in.  but you do not send any personal info when visit the webpage,
However there is plans to change it when I can move the site, but that is a money issue.

2. App Cert is somethings on my list I want to do.. BUT it is a money issue.. it cost around 150-350$ a year for a code sign certificate.

« Last Edit: May 25, 2020, 09:22:24 by Mathias (Author) »

Andreas17

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Severe security vulnerabilities for Multi Commander
« Reply #2 on: June 04, 2020, 19:54:03 »
Almost all providers of web services with a login provides their web page with HTTPS - banks, shops etc. Even the login credentials for your forum are transmitted as clear text. So why do they invest in security which you argue as unneeded or too expensive?

I understand that security is not for free. I hope you'll find a valuable business model which allows you to provide a minimal security level to protect your product and your customers.

Kind regards,
Andreas

Mathias (Author)

  • Administrator
  • VIP Member
  • *****
  • Posts: 4416
    • View Profile
    • Multi Commander
Re: Severe security vulnerabilities for Multi Commander
« Reply #3 on: June 05, 2020, 07:23:52 »
It is very different with a bank or shop where you provide credits card or other sensitive info and a website where you download a pice of free software.
This is not a busniess. I do not sell anything. I don't have customers. I got some users that use the program I have developed for my own needs.

But HTTPS is coming in the future when I get the time to move everything. But thinking that HTTPS will make everything safe is just to lie to your self. All HTTPS with free cert do is to make it harder for government and ISPs to spy on you. It just encrypt the traffic,  It is not stopping Man In the Middle attacks since they can also get the same free cert and use that, The free Cert do not have any verification that checks that you are who you say you are. They are low security..  They are just for encryption and to make to harder to do big scale spaying on all. like Goverments and ISP can do.. Targetet spying will do a man in the middle attack and they will use the free low security cert.

Btw login/passwd for the forum is not sent in plain text. it is encrypted before sent.
« Last Edit: June 05, 2020, 07:29:55 by Mathias (Author) »

Nortuk

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Severe security vulnerabilities for Multi Commander
« Reply #4 on: June 18, 2020, 08:14:29 »
1. HTTP is because of server reasons.
HTTPS does not protect you against "main in the middle" attack, the attacker can also get a cert from letsencrypt so you will not notice.
HTTPS with letsencrypt protect you from somebody listning in.  but you do not send any personal info when visit the webpage,
However there is plans to change it when I can move the site, but that is a money issue.

2. App Cert is somethings on my list I want to do.. BUT it is a money issue.. it cost around 150-350$ a year for a code sign certificate.
Hi Mathias
I can see your problems and I would like to make a suggestion even though I am a newbie here, and I have not posted my problem yet. If you would open a PayPal account I would be glade to send you $50 to get you started. I think this is absolutely the best file handling system I have ever used, and I have been around before Windows 1. I would not like to see it go by the wayside. I suspect there are others who feel the same. Even if you can not fix my problem and I have to look for another solution please email me when you get PayPal set up and I will still send you the $50.
Terry

Matthias515566

  • Power Member
  • ****
  • Posts: 323
    • View Profile
Re: Severe security vulnerabilities for Multi Commander
« Reply #5 on: June 18, 2020, 10:55:27 »
Yo can make your Donation here: http://multicommander.com/donate

nortuck

  • Newbie
  • *
  • Posts: 3
    • View Profile