Don't transmit plaintext password

mckoss / pageforest

Automatically exported from code.google.com/p/pageforest

0 stars 0 forks source link

Don't transmit plaintext password #7

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. Go to http://www.pageforest.com/sign-up
2. Enter your password

What is the expected output?
I expect client-side validation of the password. Before the form is posted,
it should replace the password with HMAC-SHA1(password, username).

What do you see instead?
My password is transmitted in plaintext without SSL every 3 seconds and
when I click "Join Now".

Original issue reported on code.google.com by jcrocholl on 18 May 2010 at 3:32

GoogleCodeExporter commented 9 years ago

Original comment by mckoss@gmail.com on 18 May 2010 at 7:44

Added labels: Component-WWW, Security

GoogleCodeExporter commented 9 years ago

Original comment by mckoss@gmail.com on 29 May 2010 at 3:05

Added labels: Milestone-0.6

GoogleCodeExporter commented 9 years ago

Original comment by jcrocholl on 1 Jun 2010 at 7:03

Added labels: Milestone-0.7

GoogleCodeExporter commented 9 years ago

The registration form is now fixed, but the sign-in form also needs to be 
updated to
send HMAC-SHA1 instead of the password.

Original comment by jcrocholl on 2 Jun 2010 at 1:55

Changed state: Started

GoogleCodeExporter commented 9 years ago

This issue was closed by revision ca021e58b7.

Original comment by jcrocholl on 2 Jun 2010 at 11:16

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Original comment by mckoss@gmail.com on 4 Nov 2010 at 11:49