Seafile webapp - desktop client passwords sent in cleartext over https

hi, is this a bug or an feature request?
If you log in with webapp your password is sent in cleartext.
Because of man in the middle the password should be encrypted clientside.

copied from google chrome developer tools as curl:

curl 'https://xxxxxxxxxx/login_check' -H 'Cookie: PHPSESSID=fio3h6cqvjvj6tjgmsa9m1gem5' -H ... --data '_username=sisyphus74&_password=XXXXXXXXXX_locale=de' --compressed

even the password of an encrypted library is sent in cleartext:
encrypted library:
curl 'https://xxxxxxx/api/v2.1/repos/xxxxxxxxxxxxx/set-password/' -H ... --data 'password=XXXXXXXXXXX' --compressed

is the forum the right platform for this issue or should i open a github ticket?


This is expected. The password is protected by TLS. After first login only the token should be transferred.

This is already a relatively good implementation.

Hi shoeper, thanks for your answer.
Is this perhaps an issue for the future? Or is anything else planned?
I think about
different browsers, desktops, wifi, internet cafe, proxies and of course session timeouts.
I think i heard something about client side encryption for seafile web client is planned for the future. is this correct?


All major browser do use relatively secure TLS implementations.[quote=“sisyphus, post:3, topic:3011”]

TLS cannot be intercepted when using wifi[quote=“sisyphus, post:3, topic:3011”]
internet cafe, proxies

Same for this. It would require that the operator to install a ROOT Certificate on your computer. Otherwise he cannot be man in the middle (or at least it’s very hard). Of course, one should NOT click away any warning for wrong certificates in the browser or Seafile client.[quote=“sisyphus, post:3, topic:3011”]
is this correct?

I don’t think so. There had been support in the past but it was dropped. Moreover it’s not on the roadmap: Roadmap - Seafile

All passwords you type into practically any website are sent over as “plain text”, but encapsulated via SSL/TLS so that it’s encrypted during transfer to the website’s servers.

This is a non-issue, and is in general how logins are handled on the internet.

Thanks very much for these detailed replies.