Moderator: moderators
I do trust, but I also trust into proven security mechanisms, which usually imply to restrict what an app can access. Think about a XSS vulnerability in MiniSub that now could be used to modify any other app running in the browser (maybe not Chrome today). Nobody is perfect, and if there is one experience over the last decade, then that hackers will find new ways to attack applications..tsquillario wrote:If you don't trust me, ..
Likely not, at least not experts knowing what they do..grumpwagon wrote:(no one is running a music frontend on their critical production servers, right?).
Why? Are you using a different PC for Subsonic and for home banking or similar applications? And lots of attackware try different exploits until they succeed.grumpwagon wrote:popular enough to be an attack vector for a consumer PC ... is a bit outlandish.
jol wrote:Likely not, at least not experts knowing what they do..grumpwagon wrote:(no one is running a music frontend on their critical production servers, right?).Why? Are you using a different PC for Subsonic and for home banking or similar applications? And lots of attackware try different exploits until they succeed.grumpwagon wrote:popular enough to be an attack vector for a consumer PC ... is a bit outlandish.
You can call me paranoid, but I would never click Re-Enable in that prompt and yet assume all of my family members would do (not sure if they can, they are not admins on their respective PCs).
Best regards, jol
Just to be crystal clear: I am writing about a PC to listen to music (whatever client), not to run the Subsonic server.jol wrote:Why? Are you using a different PC for Subsonic and for home banking or similar applications?
I am using https. http is blocked from the Internet. My familiy is not administrator. Music is the data I worry least about on my server (and also on my client). I am using Bitlocker, VPN, and I guess I know what I am doing (most of the time). However, I don´t expect all users to know what they are doing.tsquillario wrote:If anything you should be worried about your Subsonic server getting hacked, especially if your not using https.
I assume the 95% scenario is MiniSub being downloaded from the Subsonic server, correct? Then why don´t you generate the Manifest on the server with the exact URL required? I haven´t seen this prompt in any of the apps I used, but plenty of them support Ajax and run on various servers.tsquillario wrote:If I could design the App a different way to not have to prompt you I would. However Google doesn't allow you to specify the URL for ajax requests after the fact, you can only set them statically in the manifest. Don't use it man, no one is forcing you.
Indeed that would be the consequence if I (continue to) get the popup. The warning is there for good reasons, and I am taking security warnings serious. Unfortunately I know most users don´t.tsquillario wrote:Don't use it man, no one is forcing you.
I assume the 95% scenario is MiniSub being downloaded from the Subsonic server, correct? Then why don´t you generate the Manifest on the server with the exact URL required? I haven´t seen this prompt in any of the apps I used, but plenty of them support Ajax and run on various servers.
Thanks for challenging me. I learned something. But I cannot find an app, imho the permission concept of the chrome extensions container is just broken.tsquillario wrote:You find me an app that lets you specify your server URL and doesn't require the same permissions and I'd be glad to redesign things in that way.
http://www.informationweek.com/security/application-security/google-chrome-extensions-6-security-fact/232700243Felix FX Lindner, head of Recurity Labs in Berlin wrote:Chrome extensions are evil. Chrome extensions, if you've never done them, it's almost like they were invented for banking Trojans.
Return to Jamstash (formerly MiniSub)
Users browsing this forum: No registered users and 8 guests