I just completed a tcpdump session to find out, how confluence protects credentials (user, password).
I was somewhat shocked, everything is plain text. Which possibilties exist to use confluence outside of he intranet in a professional (safe) way.
Avoid the https hazzle would be great.
Well, it would be, thats how forms based auth does, its open to sniffing. However, the days of 'one cable' lan are long gone, an attacker would need to have access to core network infrastructure to do the same, especially true on internal networks.
If you want secure transport layer you need to use SSL, the middle ground may be to adopt a 3rd party single sign on authenticator...
There are no alternatives to "plaintext" transmission of user names and passwords, if you are using plain HTTP. Think about it for a second - even if you are encoding passwords in the browser somehow (if this is what you propose), then the encoded value becomes a "plaintext" password accepted by the server. As long as one can sniff your traffic, and you are not re-implementing HTTPS in some way, one can impersonate you.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs