2 hours ago, SandervG said:
I don't think that is a correct summary of what ctbeke was saying. We are looking into security features, but only a password for the web would be just half a solution for everyone who doesn't have their printer locked up in a room. And having only half security is like no security at all. So instead, we are investing this security issue from a wider perspective, so hopefully it will deliver a solution to every user who needs more security.
If you are suggesting our development team should develop every feature request we get from a user I don't you'll ever see a new product from us ever again and a very strange user interface (based on everyone's individual needs & preferences, but launched for everyone). Instead we hear your request for security, and our response is that we are looking into it but it is not as easy as you might think. Hope this helps to create some perspective!
I know what you mean.
And yes its not possible to develop a software for the need of every user.
But the claim should be the goal.
But a Password Protection just at the webserver ist not a "half" solution in my opinion.
And also nothing special.
Its just normal that a webserver have a password.
My camera at home have a webserver password.
Also if you can go to the camera and kick it from the wall 😄
The printer stands somewhere. Nobody is going to the printer to do something with it or watch it.
But watching this thing while sittion at your working space without standing up...This is what people do....And this would be no longer possible with a webserver password.
If there is a feature to protect the display too in the future ...That would be not a bad thing.
But as long there is no solution for this... Just a webserver pasword would be a better protection than just nothing 😄
Edited by Jonas98
Recommended Posts
yigitdurmus 1
Is it so hard to implement that feature???
Link to post
Share on other sites
ctbeke 133
Firstly, it is not trivial, because we are dealing with a security model that touches the physical and digital domains. For example adding a password to prevent stopping a print job via the local web UI does not add much value, because anyone could walk up to the printer and do it via the display as well. As a result, you'd also have to deal with authentication on the printer itself, which is much harder due to limited input possibilities (no one really wants to enter a full password on such a small screen). The embedded team is working on some options, but there not just not there yet.
Secondly, it is actually not very secure, because in the local networking you cannot deploy HTTPS (this standard requires domain names, it does not work with IP addresses). So any password entered will be sent in plain-text over the local network from your browser to the printer. Very easy to intercept. You also have to store this password then on the printer. Doing SSH into the printer firmware when it's in developer/debug mode then allows you to find these passwords on the file system. Even if that's encrypted, you'd still have plenty of points to start reverse engineering them.
Thirdly, adding authentication to the local web UI is not in line with our future direction. We're implementing all new functionality in the cloud-based Digital Factory, which has proper authentication, two-factor authentication, and way more options to expand upon. The local web UI is mainly there for legacy reasons. For those customers who require that UI to be not accessible, the firewall option works fine.
Hopefully this gives you some insight into our line of thinking, and why we very likely will not add password protection to the local web UI.
Link to post
Share on other sites
Jonas98 19
Sorry but i totaly disagree...
For example:
Printer stands in a seperate room (acess just for autorisated persons)
But printer is in the local network so that i can monitor it.
But so everbody else can watch and change things who have acess to the network.
The room have a door with a simple thing named key 😄
So a simple password protection at the webserver would be a solution for me.
Like every other Network device I know provide (Cameras, diskstations, Octoprint 😉)
I don't understand why proposals like this always are "impossible".
The customers who really use your product are the best developer team.
For free of course.
I think ultimaker have to be happy to get this feedback.
Its the best and practical
feedbak you can get.
I just don't know how to say that...
You get from us:
Password protection (just at the web server) would be a nice solution to me.
You say:
Edited by Jonas98Sorry password just on the webserver is no solution for you...
Link to post
Share on other sites
SandervG 1,521
I don't think that is a correct summary of what ctbeke was saying. We are looking into security features, but only a password for the web would be just half a solution for everyone who doesn't have their printer locked up in a room. And having only half security is like no security at all. So instead, we are investing this security issue from a wider perspective, so hopefully it will deliver a solution to every user who needs more security.
If you are suggesting our development team should develop every feature request we get from a user I don't you'll ever see a new product from us ever again and a very strange user interface (based on everyone's individual needs & preferences, but launched for everyone). Instead we hear your request for security, and our response is that we are looking into it but it is not as easy as you might think. Hope this helps to create some perspective!
Link to post
Share on other sites