2011/10/11 Josh Juran <josh@xxxxxxxxxxxx> > On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote: > > > On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh@xxxxxxxxxxxx> wrote: > > > >> Since bugzilla passwords were sent in cleartext anyway, I sincerely hope > none of them were otherwise valuable. (Remember FireSheep?) > > > > Wait, what? Bugzilla sends passwords in cleartext? That isn't very > smart... Is there no way to replace this with some sort of client based > hashing or something? > > To clarify, your browser sends your password to bugzilla in cleartext, > since HTTPS isn't an option. > > Firesheep was a lesson that even once passwords are secure, session > credentials are still vulnerable to sniffing. Some sites went to HTTPS-only > sessions after that. > > Josh > > > Shouldn't it be possible to modify the login environment so that a salted hash of the password is produced before sending it to the server, to strengthen the security a little bit? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/65a1b084/attachment.html>
