[TH] Install and Upgrade [Deleted]

Yes, have password unencrypted of the ftp, waindingo.org and xenforo.com scare me a little.

I was thinking of create a secondary xenforo user like Kintaro-install to use it only for your install-upgrade addon, but then I saw that additional credentials are stored (ftp and waindigo.org)

Do you mean master password (not saved in the DB) that works as the secret key to unencrypt? Could be a solution.

So to install-upgrade you have to manually insert the master password every time, right? I think can be a good idea.

Someone maybe doesn't care about it so I think it's better to make it optional.
 
Kintaro said:
Do you mean master password (not saved in the DB) that works as the secret key to unencrypt? Could be a solution.

So to install-upgrade you have to manually insert the master password every time, right? I think can be a good idea.
Click to expand...
Correct. Might be possible to just unencrypt the data when the admin logs in or something like that.

Another alternative would just be to store the data in cookies, so then you would just have to re-enter it if you used a different computer.
 
Jon W said:
Correct. Might be possible to just unencrypt the data when the admin logs in or something like that.
Click to expand...

In this way there's no need of an extra password but you have to encrypt and crypt during login and logout of an admin, right? In very busy forums with more than an admin that data will be unencrypted most of the time.

Said that I'm in favor also of an install/upgrade password. With all that password managers out there I don't see an extra password as a problem anymore. :D

Jon W said:
Another alternative would just be to store the data in cookies, so then you would just have to re-enter it if you used a different computer.
Click to expand...
but there will be unencrypted data in the cookies, right?
 
Jon W updated Install and Upgrade by Waindigo with a new update entry:

Version 1.4.8 released

New features:
  • Stored credentials for waindigo.org can now be deleted once your installation has been associated with your waindigo.org account, to avoid having to store your account details in plain text.
  • Stored credentials for all sites can now be encrypted (premium feature). Encryption is performed using an encryption key that is generated based on your Admin Control Panel password whenever you log in and is then stored as a session cookie. As such, admins will no...
Click to expand...

Read the rest of this update entry...
 
Kintaro said:
In this way there's no need of an extra password but you have to encrypt and crypt during login and logout of an admin, right? In very busy forums with more than an admin that data will be unencrypted most of the time.

Said that I'm in favor also of an install/upgrade password. With all that password managers out there I don't see an extra password as a problem anymore. :D

but there will be unencrypted data in the cookies, right?
Click to expand...
I've gone for an encryption key being stored as a session cookie on login to the Admin Control Panel. Decryption is performed on demand using the encryption key, so at no point are passwords being stored unencrypted on the server.
 
xenBoost Mike said:
@Jon W Will this feature enable by default for my clients sites detected on my IP subnets using your add-on?
Click to expand...
Nope, sorry. Everyone has to subscribe to get Premium features and support. All your customers get commercial licenses and branding free as long as they have this add-on installed and linked to their waindigo.org account, so they can benefit from this update:
Stored credentials for waindigo.org can now be deleted once your installation has been associated with your waindigo.org account, to avoid having to store your account details in plain text.
Click to expand...
 
Bubka3 said:
Um, why is security being offered as a "premium" feature? That doesn't seem very fair.
Click to expand...
Its not like there is a massive security hole in this add-on. It would still require someone to hack in to the site and this add-on doesn't make that any more likely. It is just an extra level of security, so it is a premium feature.
 
Jon W said:
Its not like there is a massive security hole in this add-on. It would still require someone to hack in to the site and this add-on doesn't make that any more likely. It is just an extra level of security, so it is a premium feature.
Click to expand...
Jon I'm ok for the premium thing, but you can't say this is an "extra level of security". It is normal to encrypt stored credentials. IMHO an extra level of security could be a "2nd factor authentication". ;)
 
Kintaro said:
Jon I'm ok for the premium thing, but you can't say this is an "extra level of security". It is normal to encrypt stored credentials. IMHO an extra level of security could be a "2nd factor authentication". ;)
Click to expand...
Then XenForo is insecure because it stores your database details in plain text?

The passwords are not exactly stored insecurely. They are protected by other passwords, but are stored in plain text. It is an extra level of security to encrypt them.
 
Last edited:
I'm not sure I've ever seen so many updates in such a short time frame from one developer. Is it possible some of these versions could be consolidated to eliminate weeks where four and five updates are rolled out?
 
Since latest update, multi upload no longer works. trying both /home/username/upload and ../upload as the bath list all the addons, but you get the error "The files associated with this add-on could not be found. Please upload them and try again." trying to install any of them.
 
Dryline said:
I'm not sure I've ever seen so many updates in such a short time frame from one developer. Is it possible some of these versions could be consolidated to eliminate weeks where four and five updates are rolled out?
Click to expand...
Unless there are bug fixes, you don't have to update every time there is a new release. That being said, it is so easy to update add-ons with this add-on anyway, why wouldn't you?
 
xenBoost Mike said:
Since latest update, multi upload no longer works. trying both /home/username/upload and ../upload as the bath list all the addons, but you get the error "The files associated with this add-on could not be found. Please upload them and try again." trying to install any of them.
Click to expand...
Try the path "install/data" to see if that works. If so, it is probably a permissions issue. There is nothing in the latest update that should break anything.
 
Jon W said:
Unless there are bug fixes, you don't have to update every time there is a new release. That being said, it is so easy to update add-ons with this add-on anyway, why wouldn't you?
Click to expand...

Thanks for the reply Jon. It's mainly the time savings involved with the frequency of needing to update. No worries if a few non-bug related in a series can be skipped per your reply.
 
You must log in or register to reply here.

Similar threads

F
  • Solved
Install and upgrades post support period
Replies
2
Views
626
FidoMike
F
XenConcept
[XenConcept] Install And Upgrade
Replies
9
Views
1K
XenConcept
XenConcept
Russ
  • Suggestion Suggestion
Implemented One-click install and upgrade styles
Replies
6
Views
2K
Alpha1
Alpha1
ThemeHouse
Install and Upgrade
15 16 17
Replies
333
Views
26K
mattrogowski
mattrogowski
Wasserlasser
  • Question Question
Install and Upgrade of AddOns and Updates in XF 2.0
Replies
6
Views
2K
Wasserlasser
Wasserlasser
Top Bottom