distrust http (except for localhost)

2026-05-29 16:10:19 +00:00 · 2026-03-11 22:01:21 +01:00
parent c52b3fc4ad
commit 998664acc3
1 changed files with 15 additions and 0 deletions
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
@@ -73,6 +73,9 @@ public class CheckHostTrustController implements FxController {
 			trust(); // trust *.cryptomator.cloud by default, domain is owned by Cryptomator maintainers
 		} else if (containsAllowedHosts(env.hubAllowedHosts())) {
 			trust(); // trust hosts explicitly allowlisted via system property
+		} else if (isHttpHost() && !isLocalhost()) {
+			LOG.warn("Denying attempt to connect to hub instance via unencrypted HTTP.");
+			deny(); // never trust http hosts except for local testing
 		} else if (env.hubTrustOnFirstUse() && containsAllowedHosts(settings.trustedHosts)) {
 			trust(); // trust hosts previously allowlisted by the user
 		} else if (env.hubTrustOnFirstUse()) {
@@ -125,6 +128,18 @@ public class CheckHostTrustController implements FxController {
 		return canonicalHubHost.endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN) && canonicalAuthHost.endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN);
 	}

+	private boolean isHttpHost() {
+		var canonicalHubHost = hubConfig.getApiBaseUrl().getScheme();
+		var canonicalAuthHost = URI.create(hubConfig.authEndpoint).getScheme();
+		return "http".equalsIgnoreCase(canonicalHubHost) || "http".equalsIgnoreCase(canonicalAuthHost);
+	}
+
+	private boolean isLocalhost() {
+		var canonicalHubHost = hubConfig.getApiBaseUrl().getHost();
+		var canonicalAuthHost = URI.create(hubConfig.authEndpoint).getHost();
+		return "localhost".equalsIgnoreCase(canonicalHubHost) || "localhost".equalsIgnoreCase(canonicalAuthHost);
+	}
+
 	@VisibleForTesting
 	boolean containsAllowedHosts(Set<String> allowedHubHosts) {
 		var canonicalHubHost = getAuthority(hubConfig.getApiBaseUrl());