Passwords sent to server unencrypted
Bug #1018889 reported by
hexafraction
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Stackfail |
Triaged
|
Medium
|
Stackfail security team | ||
Bug Description
Stackfail currently has no way of keeping passwords sent to the server from the client secure. Any Javascript attempt to do client-side crypto would be foiled by XSS or in-transit hijacking, and a plaintext password is obviously not secure from packet sniffers. The only current resolution is to use TLS or SSL, which is not feasible for many administrators using this product.
| Changed in stackfail: | |
| importance: | Medium → Low |
Revision history for this message
| hexafraction (rarkenin) wrote | #1 |
| Changed in stackfail: | |
| status: | Triaged → Won't Fix |
Revision history for this message
| hexafraction (rarkenin) wrote | #2 |
| Changed in stackfail: | |
| status: | Won't Fix → Triaged |
| importance: | Low → Medium |
To post a comment you must log in.
Won't fox because we can't fix yet. If anybody has an idea that can resolve it, feel free to register a blueprint and attach it here, or just discuss the idea informally here.