Mobile Apps: Without HTTPS will password be in plain text?

Topics include DS audio, DS photo+, DS video, DS file, DS cloud, DS download, DS cam & DS finder.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
fray_bentos
I'm New!
I'm New!
Posts: 1
Joined: Sat Jan 23, 2016 11:52 am

Mobile Apps: Without HTTPS will password be in plain text?

Unread post by fray_bentos » Sat Jan 23, 2016 12:44 pm

Simple question: If HTTPS is not enabled when using mobile apps e.g. photstation, will the login credentials e.g. username and password be sent to the Synology in plain text?

I ask because I don't mind the content of the apps being unencrypted e.g. videos, but, i dont want my username and password to go in plain text as someone could use them to log-in to the web interface etc.

Does anyone know? Thanks.

BiLLou_be
I'm New!
I'm New!
Posts: 6
Joined: Sun Oct 11, 2015 11:52 am

Re: Mobile Apps: Without HTTPS will password be in plain text?

Unread post by BiLLou_be » Fri Aug 26, 2016 12:16 pm

Interesting question... I'd like to know the answer to that one.

drabisan
Guru
Guru
Posts: 1474
Joined: Sat Jul 17, 2010 12:04 pm

Re: Mobile Apps: Without HTTPS will password be in plain text?

Unread post by drabisan » Fri Aug 26, 2016 1:19 pm

This is the way with http. Everything can be read with not many troubles other than capturing the traffic.
Yes, there's a lot of cpu load to encrypt and decrypt non sensitive traffic, like pictures of video, but good practices implemented in browsers and web-based apps (like DS*) disallow using a percentage http and a different percentage https in the same web page.

So the answer is either black or white, there's no grey.

BiLLou_be
I'm New!
I'm New!
Posts: 6
Joined: Sun Oct 11, 2015 11:52 am

Re: Mobile Apps: Without HTTPS will password be in plain text?

Unread post by BiLLou_be » Fri Aug 26, 2016 1:26 pm

I still want to know if username and password are send in plain text when connecting without the HTTPS enabled. I would hope that the authentication happens in a secure way even if the rest of the session works in plain HTTP.

Do the mobile applications get automatically redirected to HTTPS too when this setting is activated in DSM? Should I close ports 80 and 5000 even when I enabled this DSM settings?

drabisan
Guru
Guru
Posts: 1474
Joined: Sat Jul 17, 2010 12:04 pm

Re: Mobile Apps: Without HTTPS will password be in plain text?

Unread post by drabisan » Fri Aug 26, 2016 1:59 pm

Your password is send plain text. Don't set yourself any expectations about security and http!
Yes, there's a redirect from http to https when https is enabled. You don't need 80 or 5000, but you have to point your browser or apps to 443 or 5001.

asd-123
Beginner
Beginner
Posts: 29
Joined: Fri Dec 12, 2014 8:44 am

Re: Mobile Apps: Without HTTPS will password be in plain text?

Unread post by asd-123 » Wed Mar 01, 2017 10:01 am

i think he wanted to be sure, that if he is on any wifi network and connecting him self to home over the DS apps, then any sniffer or the owner of the wifi AP can read his login credentials... :)

you should use only "read" accounts when connecting like this ;)

Post Reply

Return to “Mobile DS Apps”