Make HTTPS the default for accessing the Dashboard

As the internet and even private networks become target of internet criminality more and more, I think it’s about time for making HTTPS the default protocol for accessing the Dashboard, or, at least, provide an option to make the My Cloud redirect you to HTTPS when using HTTP only.
I know, you have to manually trust the certificate the My Cloud uses, but it’d be worth it, for having an encrypted connection when you submit your administration password.

2 Likes

Status: Acknowledged

Idea submitted for voting.

Finally someone else concerned about security. I’ve turned mine off due to major hole regarding security for the API behind the dashboard, mobile, and WD Sync features.

Actually, if that’s true this is just disturbing. Especially, but not only, because the all the My Cloud obviously support HTTPS and FTPS/FTP-SSL, since it’s possible to access the dashboard via HTTPS and mount network shares via FTPS.
I would recommend mounting all shares manually, then, until the problem gets addressed. And for global connections from outside your private network there’s VPN.
I don’t want to blame WD because I am not into this problem enough to tell whether it is true and still there, but if it was, I must say I’d be enormously disappointed, given, WD advertises the My Cloud using the privacy aspect.

To recreate is simple. Download fiddler from telerik (if using Windows). Turn off the “Enable SSL when syncing files on my local network”. You’ll see transactions flowing thru the device. You can save the session so you can view later.

Now go to a coffee shop with your laptop that has the same subnet as your local LAN (e.g. 192.168.0.x in my case). The uncheck SSL option will allow you to capture the transactions. The WD Sync software only checks to see if the subnet matches and not if the device actually exists locally. It later will shift from the local address to the external address, but still using the plain text (open to all to see) transport.

Look for the GET request that contains the device, then capture. I was able to replay this transaction more than a week later. I just re-enabled and was able to get a response, but with no file details returned since the metabase was probably still building.

You can also stream videos using your mobile and you’ll see http in the address before the video loads. I was on LTE at work when I took this screenshot.