Issue463

Title HTTPS only version for login for this tracker
Priority urgent Status chatting
Superseder Nosy List inada.naoki, loewis, r.david.murray, techtonik, yan12125
Assigned To Topics

Created on 2012-05-22.05:53:46 by techtonik, last changed 2017-02-13.09:17:06 by yan12125.

Messages
msg2505 (view) Author: techtonik Date: 2012-05-22.05:53:45
I often use unencrypted public WiFi networks and logging in to this tracker (which doesn't have any OAuth2 interface) imposes a high security risk. I propose to make login secure.
msg2527 (view) Author: loewis Date: 2012-05-25.17:43:58
The risk isn't really high. Just chose a password that you don't use anywhere else, and the threat of somebody stealing it can be safely ignored. Somebody might be posting in your name, but that doesn't scare me at all.
msg2528 (view) Author: techtonik Date: 2012-05-25.20:39:05
I will be interested to know how many developers are using the same password for all *.python.org services. Can you run a hash compare check to see that the risk is really not that high?
msg2529 (view) Author: loewis Date: 2012-05-25.22:52:43
Comparing the password hashes is inconclusive; the passwords are salted.

In any case, this issue is about a problem that you perceive for yourself. Whether or not other people feel likewise threatened, we cannot know.
msg2530 (view) Author: r.david.murray Date: 2012-05-29.10:49:00
I use unique passwords for all services for exactly this reason so I, for one, am not worried.
msg2783 (view) Author: techtonik Date: 2013-09-28.05:57:03
I don't use unique password and I believe the next competition organized by some not-well known hacker group may include some Python services just to measure the impact. I don't see any other way to raise the importance of such issues other than transforming them into personal experience.
msg3229 (view) Author: inada.naoki Date: 2017-01-25.06:42:30
https://www.mozilla.org/en-US/firefox/51.0/releasenotes/

> A warning is displayed when a login page does not have a secure connection

I think we should follow "always use HTTPS" trends.
History
Date User Action Args
2017-02-13 09:17:06yan12125setnosy: + yan12125
2017-01-25 06:42:31inada.naokisetnosy: + inada.naoki
messages: + msg3229
2016-08-03 05:54:02berker.peksaglinkissue602 superseder
2013-09-28 05:57:03techtoniksetpriority: wish -> urgent
messages: + msg2783
2012-05-29 10:49:00r.david.murraysetnosy: + r.david.murray
messages: + msg2530
2012-05-25 22:52:43loewissetpriority: critical -> wish
messages: + msg2529
2012-05-25 20:39:05techtoniksetpriority: wish -> critical
messages: + msg2528
2012-05-25 17:43:58loewissetstatus: unread -> chatting
nosy: + loewis
messages: + msg2527
2012-05-25 17:42:12loewissetpriority: critical -> wish
2012-05-22 05:53:46techtonikcreate