Re: [Savannah-hackers-public] changing password when registering

[Ineiev]

On Fri, Jun 30, 2017 at 01:54:45AM -0400, Ineiev wrote:
> On Thu, Jun 29, 2017 at 06:21:22PM -0600, Bob Proulx wrote:
> > Ineiev wrote:
> > > In savane/frontend/php/account/register.php, I see a message
> > > like "For better security we advise you to change your password
> > > as soon as possible." (it's sent in the confirmation message).
...
> > The link sent to you by email may be easedropped upon.  But when you
> > connect with https then if you trust the CA (certificate authority)
> > that signed the https certificate (historically there have been
> > problems with that) then you can trust that your connection to the
> > site is secure.  Changing your password over https should be very
> > secure.  More so than if anything is sent to you by email.
> >
> > Also I will note that there have been some incidents at other sites
> > where SMS text messages were subverted.  Therefore SMS tokens are not
> > good security either.
> 
> The registration form (including the password) is sent over HTTPS,
> so it should be equally secure. plain-text email isn't secure,
> and I can see how it could be used to register with other person's
> email account, but it isn't clear to me how one could use the hash
> to compromise the password.

If we can't find the reason, I'd suggest to replace that notice
with a recommendation to register a GPG key like "For better
security we advise you to register an encryption-capable GPG key
and enable sending password reset messages encrypted; in which
case, be sure to request a reset and check that you actually can read
those messages."

signature.asc
Description: Digital signature