Hi Stefan, > linux norman internet update deamon (niu) sends our > corporate license key in cleartext over http when the > first update is triggered. Similar problems (use of insecure channels) was reported on June 9, 2009 with their Windows software. Jeff On Tue, Sep 1, 2009 at 3:00 AM, Stefan Bauer<stefan.bauer@xxxxxxxxxxx> wrote: > I just discovered, that the linux norman internet update deamon > (niu) sends our corporate license key in cleartext over http when > the first update is triggered. Output of niu --trace shows > > SelectNextValServer (1): first: 0 > ExtractValServer: 0 from 'niuone.norman.no': Found 'niuone.norman.no' > sAuthUrl='niuone.norman.no/scripts/NIUSrv.dll?GetUpdateInfo?1$asdfa-asdfa-asdfa- > > asdfa-asdfa$000020022050205220702072208020822$5'(117) > > asdfa-asdfa-asdfa-asdfa-asdfa is our key. > > Norman confirmed the bug but did not provide a timeline for any updates. > > Regards > > -- > cubewerk ------------------------------ stefan.bauer@xxxxxxxxxxx > IT-Beratung + Planung ------------------- Tel +49 8621 996 02 37 > Herzog-Otto-Straße 32 ------------------- Fax +49 7211 513 38551 > 83308 Trostberg -------------------------------- www.cubewerk.de >
