Our IT Security reached out suggesting Jira passwords are exposed within the firewall. We have implemented Secure LDAP and Jira is running behind Apache firewall, with a valid GoDaddy cert and accessible from HTTPS. Jira Software Server version is 8.8.0. Screenshot as follows that shows Form Data with exposed password.
Anyone successfully masked this on Atlassian applications? Much appreciate any suggestions/pointers.
Hi @Anand Dandikar , great question - I can see how this could be concerning at first glance.
Although the connection between your browser and Jira (and Jira and your LDAP server) is encrypted, the endpoints have to have the decrypted data in order to do something with it. For example, when you type the password into the password field, your browser must have your raw (unencrypted) password in order to then encrypt it. This is what you're seeing in the developer tools. Chrome then encrypts the login and password before submitting it over the network.
The browser is going to be aware of your inputs - and there's no avoiding that. This isn't specific to Jira; it's any password field on any website. (see this Stack Overflow thread for more information) But in order for an attacker to make use of that data, they'd need to have control over your local machine in order to extract it from Chrome before it becomes encrypted. At that point, they could also keylog your machine to intercept the characters before they even reach the browser.
I'm glad your IT team is considering application security! In this regard, the most important thing is making sure the connection is encrypted at the browser (Chrome will give you the padlock:
or throw some very angry warnings if the connection is not secure). With Apache running as a reverse proxy for Jira (presumably these are on the same machine / VM), and the connection encrypted between Apache and Chrome, you should be in good shape.
Daniel | Atlassian Support
Thanks @Daniel Eads What you explained about data being encrypted after they leave the client makes sense. So, Apache doesn't go that far as to encrypt it directly from the login form, huh! It would be interesting to know how the packet transfer between client, to AD Server, Application server and database server once we hit login button on Jira. Any configurations possible at all from Apache or Tomcat's server.xml? Or any other way to encrypt it aside from Apache and Tomcat?
Hey there Cloud Community members! We’re excited to give you the first glimpse of the new home for business teams on Jira — Jira Work Management. Jira Work Management is the next generation of J...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events