[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] changing password when registering
From: |
Ineiev |
Subject: |
Re: [Savannah-hackers-public] changing password when registering |
Date: |
Mon, 3 Jul 2017 04:53:17 -0400 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Jun 30, 2017 at 01:54:45AM -0400, Ineiev wrote:
> On Thu, Jun 29, 2017 at 06:21:22PM -0600, Bob Proulx wrote:
> > Ineiev wrote:
> > > In savane/frontend/php/account/register.php, I see a message
> > > like "For better security we advise you to change your password
> > > as soon as possible." (it's sent in the confirmation message).
...
> > The link sent to you by email may be easedropped upon. But when you
> > connect with https then if you trust the CA (certificate authority)
> > that signed the https certificate (historically there have been
> > problems with that) then you can trust that your connection to the
> > site is secure. Changing your password over https should be very
> > secure. More so than if anything is sent to you by email.
> >
> > Also I will note that there have been some incidents at other sites
> > where SMS text messages were subverted. Therefore SMS tokens are not
> > good security either.
>
> The registration form (including the password) is sent over HTTPS,
> so it should be equally secure. plain-text email isn't secure,
> and I can see how it could be used to register with other person's
> email account, but it isn't clear to me how one could use the hash
> to compromise the password.
If we can't find the reason, I'd suggest to replace that notice
with a recommendation to register a GPG key like "For better
security we advise you to register an encryption-capable GPG key
and enable sending password reset messages encrypted; in which
case, be sure to request a reset and check that you actually can read
those messages."
signature.asc
Description: Digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Savannah-hackers-public] changing password when registering,
Ineiev <=