Passwords sent to server unencrypted
Bug #1018889 reported by
hexafraction
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Stackfail |
Triaged
|
Medium
|
Stackfail security team |
Bug Description
Stackfail currently has no way of keeping passwords sent to the server from the client secure. Any Javascript attempt to do client-side crypto would be foiled by XSS or in-transit hijacking, and a plaintext password is obviously not secure from packet sniffers. The only current resolution is to use TLS or SSL, which is not feasible for many administrators using this product.
Changed in stackfail: | |
importance: | Medium → Low |
To post a comment you must log in.
Won't fox because we can't fix yet. If anybody has an idea that can resolve it, feel free to register a blueprint and attach it here, or just discuss the idea informally here.