InstallAware

Home of The Next Generation MSI Installer
https://www.installaware.com/forums/

Dialog Editor > HTMLViewer no support for https:// link?

https://www.installaware.com/forums/viewtopic.php?f=2&t=10711

Page 1 of 1

Dialog Editor > HTMLViewer no support for https:// link?

Posted: Mon Jun 27, 2016 1:02 pm
by bigstar
Hello,

With the move to protect customers from HTML-injections and other man-in-the-middle attacks we've been moving away from http:// links in favor of https:// links.

I am using the latest version X4 build 5.13.2016

However it appears that the HTMLviewer component is unable to open https:// links in the default web browser, or any browser for that matter, clicking on the link has absolutely no effect at all.

Now if we change https:// to http://it works correctly and the page is opened in the default web browser.

This works

Code: Select all

<a href="http://www.flashfxp.com">www.flashfxp.com</a>


This doesn't

Code: Select all

<a href="https://www.flashfxp.com">www.flashfxp.com</a>

I tested this problem on multiple systems from Windows 7 to Windows 10 all with the same result.

Re: Dialog Editor > HTMLViewer no support for https:// link?

Posted: Mon Jun 27, 2016 1:56 pm
by FrancescoT
Dear Bigstar,

I don't believe HTMLviewer supports HTTPS links directly, but you can Always redirect Http to Https from your server.

For example; try the the link "http://www.google.com", this will be redirected to "https://www.google.com" ... and in this case it works.

Hope this helps you.

Regards

Re: Dialog Editor > HTMLViewer no support for https:// link?

Posted: Wed Jun 29, 2016 7:44 am
by bigstar
Thanks for replying.

We are using the http to https redirect method but our goal was to eliminate the need for this insecure redirect.

Are there any plans to update the HTMLviewer component to support HTTPS directly?

Re: Dialog Editor > HTMLViewer no support for https:// link?

Posted: Wed Jun 29, 2016 12:17 pm
by FrancescoT
Dear Bigstar,

in all honestly I don't believe that the redirection itself can cause a security problem. it's just a redirection and the final link is HTTPS anyway.
This approach is widely used.

Currently I am not informed about a possible HTTPS implementation with the HTMLviewer.

Regards

Re: Dialog Editor > HTMLViewer no support for https:// link?

Posted: Fri Jul 15, 2016 10:22 am
by bigstar
Based on information I've gathered via google I would have to disagree and that this is a security problem.

Quoted from http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html

The idea is that if you attack the transition from an unsecured connection to a secure one, in this case from HTTP to HTTPS, you are attacking the bridge and can man-in-the-middle an SSL connection before it even occurs.


When can we expect to see support for HTTPS:// links?

Re: Dialog Editor > HTMLViewer no support for https:// link?

Posted: Fri Jul 15, 2016 1:46 pm
by FrancescoT
Unfortunately, as I have already said, currently I am not informed about a possible HTTPS implementation with the HTMLviewer.

Regards
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/