HTTPS: No secure logins (also for Clients) and no secure backend with Zenfolio.

ZeasideZeaside Member Posts: 8
edited March 2015 in Problem Reports
I have brought this up a couple of years ago already. But nothing seems to have changed. Did anybody notice the lack of HTTPS over the entire backend of Zenfolio (that is the Zenfolio Interface of the Edit/Customize View)?

Nobody thinks this is maybe a serious neglect?

Nobody concerned?

There is a reason why even the most notorious sites (Google, Facebook etc) have meanwhile fully integrated and defaulted to HTTPS as the standard for browsing and using their services.

And look at : The entire backend is in HTTPS.

Imagine: you login to your Zenfolio account through a public Wifi network. Most of these networks will be unencrypted. ( And I bet most of the Zenfolio users, let alone their customers, do not [want to] know a thing about this. ) Your login and Zenfolio traffic can be easily captured by anybody in the same network – because Zenfolio still hasn´t got HTTPS in place.
This is not a fairytale – but it is an actual threat to your account and your data (source images).

In combination with the lack of a strong two-way-authentication on the Zenfolio system, the slack approach of Zenfolio to securing Zenfolio accounts asks for trouble: the likelihood of a hijacked account increases, because of the lack of these basic security features. It is your source images we are talking about here.

Or: A client logs in to a gallery and does so via a public network. Same problem: the login page is not secured. The login is fairly easy to capture.

What we see instead is a wild patchwork of pages of the Zenfolio backend interface that work through HTTPS, like initially calling up your Edit view this way: . However, the next best link within the backend will be hard-coded – resetting your HTTPS session to unencrypted HTTP.

The interesting thing here is: The Zenfolio backend actually has been working through HTTPS for years now. Technically, there seems to be no reason not to fix all those hard-coded links to unsecured HTTP pages and functions that populate the interface of the backend.

Why is this so hard to implement HTTPS, Zenfolio?


Sign In or Register to comment.