2011/10/11 Josh Juran <josh@iswifter.net>

On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:

> On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh@iswifter.net> wrote:
>

>> Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
>

> Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?

To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.

Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.

Josh

Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit?