On Thu, Oct 13, 2011 at 10:23:58AM +0200, Maarten Lankhorst wrote:
Hey,
On 10/12/2011 12:46 AM, Josh Juran wrote:
On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran josh@iswifter.net wrote:
Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)
Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
If I go to any https://*.winehq.org website I get the certificate for test.winehq.org , otherwise you could use the firefox https anywhere to force https on.
Or better yet, force automatic redirect to https, with Strict-Transport-Security: https://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-f...
If winehq can't get more ips for every subdomain (ssl sucks), would the solution be moving it to https://winehq.org/%7Bbugs,appdb,test,source%7D ?
Or a wildcard SSL cert for *.winehq.org.
Ciao, Marcus