Version 25 - 06.04.2018 - GoEdit Administrator|0 Comments|0 Attachments| More Details
Owner:
Categories:
Created:
11.10.2017
Tags:
Type:
Document
Visitors:
312

The MSI file installs a little helper, we call it the GoEdit Native Client, which enables us to be able to open the corresponding application for the attachment you selected in your browser.

General description

  • Since the browser does not support such an operation due its sandbox, a little client side helper is used.
  • The Native Client is written in C++ and does use the official OpenSSL and QT5 libraries
  • 3 Registry keys are created, all together in the user-space ( no admin rights ) to register a protocol handler for GoEdit called "goedit://"

The Native Client helps you download an attachment on your computer, opening it up and uploads it back to your Confluence/Jira.

Some security details:

  • the Native Clients only talks to your Confluence Server directly - never talks to anything else - nothing external
  • all the data the Native Client is downloading is stored on your PC/Mac only ( attachments )
  • The Native Client "Download MSI" is not download from an external source, but directly from your Confluence ( it´s bundled with the plugin )

This means, that GoEdit does / can work in:

  • a complete offline environment, where neither your PC nor the Confluence server has access to the internet

Our security sensible customers are using GoEdit in a complete isolated environment. We are completely enterprise ready for those scenarios and also actually are focused on always providing this service for our big customers.

Automatic and administrative Installation of the helper (distribution):

  • the MSI file can be used to deploy and install GoEdit Native Client on all your PCs using GPO, so no users have to install it manually ( this is optional ), see https://goedit.drupal-wiki.com/#chapter:1.1.5

Approved by Anti-Virus & Security Programs

1715GoEdit has established a high reputation in Windows safety technology "SmartScreen Application Reputation" and can be safely downloaded an installed in Windows environments.
 

 

 

1717GoEdit has been approved by Symantec and complies with Symantec Bloodhound technology and Symantec Endpoint Protection (SEP).
 

 

 

1719GoEdit has been reviewed by McAffee and complies with Intel Security’s PUP detection policy.

 

 

    Detailed Description of the Authentication Process

    1710

    ProcedureSecurity Features

    Phase 1 - Pre-Auth

    By clicking on "Edit" within Confluence/Jira the GoEdit client is started using a session generated unique one-time authentication token. This special token is only valid for GoEdit communication and not for Confluence or Jira in general. The one-time token is used to retrieve the session-cookies via REST-endpoint using POST. The token is invalidated immediately after the session cookie has been retrieved and cannot be used again. The one-time token concept renders it technically impossible to reuse the token via replay or history. The whole communication is secured by using RSA and SSL. If SSL-encryption is enabled the communication is secured and protected against man-in-the-middle as well as sniffing attacks.

     

    • Authentication-Token
      • can only be used once - one-time concept renders it technically impossible to reuse the token via replay or history
      • can only be used for the limited time of 30 seconds and got invalidated afterwards
      • can only be used for the specific REST-Endpoint of GoEdit - no general oAuth for Confluence/Jira
      • response is encrypted via RSA and uses additionally enabled SSL - secured and protected against man-in-the-middle as well as sniffing attacks

    Phase 2 - Auth / Comms

    After the successful Pre-Auth, every communication is carried out via the regular session cookie of the user. The advantage of using cookies is that no authentication details will be disclosed within the GET-URI. Also if the user logged out, the session ends and also GoEdit cannot authenticate anymore. Cookies will only be held for the current session and within the volatile random access memory of the GoEdit Client. So if the GoEdit client is closed all data will be deleted automatically.

    With the valid session cookie the GoEdit client can now download the attachment, open the related application and when the users saves upload a new attachment version.

    All authentication data will be deleted immediately when the user saves or cancel / timeout.

     

    • Session Cookie
      • only valid for the current session
      • automatically gets invalidated on user logout
      • does not disclose authentication details within the GET-URI
      • held in volatile random access memory and got deleted on closing
      • will be deleted when user saves or cancel / timeout

    AttachmentDateSizeAction
    No attachments yet