PHYLO sends user passwords in plaintext; should be using TLS

[movermeyer]

PHYLO is not using encryption (ie. TLS). This has been an increasingly dangerous thing for websites to do, as user details are being sent in plaintext across the internet.

This allows third parties to collect the user details which can be used to compromise other online accounts of the >60% of users who re-use their passwords across multiple sites.

Beyond that, we have seen nation-states take advantage of non-TLS connections in order to perform man-in-the-middle attacks on users, which can harm both the users and the reputation of the site.

This is all to say that encrypting connections to websites has become table stakes for being secure on the web.

From Fiddler 4:

POST http://ec2-52-26-53-11.us-west-2.compute.amazonaws.com/api/login/ HTTP/1.1
Host: ec2-52-26-53-11.us-west-2.compute.amazonaws.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://phylo.cs.mcgill.ca/
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
Origin: http://phylo.cs.mcgill.ca
DNT: 1
Connection: keep-alive

username=MyUsername&password=MySecurePassword

More reading:

• > 60% of users reuse passwords: https://threatpost.com/no-simple-fix-for-password-reuse/118536/
• China taking advantage of non-TLS connections: https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack

[movermeyer]

This applies to

• PHYLO: http://phylo.cs.mcgill.ca/

• Password reset site: http://kovik.cs.mcgill.ca:3000/reset/

• Open Phylo: http://kovik.cs.mcgill.ca/#/login

[waldispuhl]

Thanks. We are indeed planning to use TSL. We're working on it but are experiencing compatibility issues. Hopefully it'll be fixed soon.