Even when using SSL, browser is asked to load non-SSL content.

Sat Jul 26, 2014 2:03 pm in AirDroid Web

page 1 / 2 << 1, 2 >> go to
ADFHogan
OP

Even when using SSL, browser is asked to load non-SSL content.

I've noticed of late when I connect to airdroid with SSL in Lite mode (Eg. I turn it on in widget and then connect to URL it displays in widget), even though I'm using HTTPS, it still attempts to load some non SSL resources.

Examining the page source code:
stateUrl: "http://stat.airdroid.com:8202/",
...
partnerConfigUrl: "http://cdn1.airdroid.com/partner/partnerConfig.js",
openUrl: "http://open.airdroid.com/demo/index.html"

These should follow the connection protocol being used for the page (the same way that Google Analytics's code switches between http and https depending on what's in use), particularly the "partnerConfigUrl" portion, which is pulling in Javascript (which is what I suspect Chrome is complaining about every time). What does this do anyway? I'm thinking it's the bit that's pulling in the ad for Themer? Either way, the browser interface hangs unless you tell chrome to accept the script over insecure link.
ADFHogan
LVHAlfons
#1

Title

Hi ADFHogan,
Thanks for your feedback.

Actually the resource you mentioned are some static resources, they are unrelated to the private user data. Please rest assured.

This article may help: http://help.airdroid.com/customer/porta ... bout-https

Feel free to let us know if you need further help : )
LVHAlfons
robezno
#2

Title

Hi Admin,
I understand that user data isn't being submitted, and that it's a resource being pulled in. Most browsers won't complain about static content being pulled in without SSL (eg. graphics etc.)... However, things like Javascript can contain dynamic content can be a concern as they enable a greater attack surface for MITM attacks.

view-source:http://cdn1.airdroid.com/partner/partnerConfig.js contains:

Airdroid.PartnerConfig={Themer:{url:"https://api.themerapp.com/themes/airdroid#/themes/trending",appId:"com.mycolorscreen.themer",playUrl:"https://play.google.com/store/apps/details?id=com.mycolorscreen.themer&referrer=utm_source%3Dairdroid%26utm_medium%3Dandroid",api:{broadcastAction:"com.mycolorscreen.themer.INTENT_APPLY_THEME"}}};

So partnerConfig.js script is the bit that loads in the ads for your business partners, presently "Themer". I don't have anything against advertising (you give us a free app), however, this should be pulled in using SSL given it's script that's evaluated rather than just plain data, when the user has elected to use SSL.

The CDN that you're pulling the configuration script from does support SSL using a GoDaddy wildcard SSL cert.
robezno
robezno
#3

Title

... alternatively, perhaps consider retrieving data to process (XML?) as opposed to script.
If you've deliberately elected to use the script method so you can dynamically pull in different types of ad experiences without having to push out an update to the app, then it's not really static data in the ultimate sense.
robezno
LVHAlfons
#4

Title

Hi ADFHogan,
Thanks.

I've passed this to the developers. They told me that improvement will be made in next web update (which is supposed to be released around 8/15): the dynamic js will be loaded using SSL.

Thank you again for your suggestion : )
LVHAlfons
robezno
#5

Title

This is still happening.

Image
robezno
robezno
#6

Title

Using Chromium Version 37.0.2062.94 and also happens in latest Windows Chrome
robezno
robezno
#7

Title

Seems that the partner info isn't the only non SSL stuff loaded - AirDroid also opens a websocket connection on port 8889 to the mobile device when in Lite mode that is not using SSL.
Image
robezno
robezno
#8

Title

SSL seems to be in the minority for a lot of stuff.. Seeing more things pop up:
Image
robezno
LVHAlfons
#9

Title

Hi ADFHogan,
Please click "Load unsafe script" > "Done", and follow the steps of using Lite Mode:

Image

Feel free to let us know if the issue still remains :)
LVHAlfons
(Sign in or sign up to post a reply.)
page 1 / 2 << 1, 2 >> go to

Statistics

24655 posts

7416 threads

Members: 235046

Latest Member: Nazir Emrani

Online: 33

cron