On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote: > On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh@xxxxxxxxxxxx> wrote: > >> Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?) > > Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something? To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option. Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that. Josh