mike-hearn
commented
5 years ago Good point. Updated to HTTPS (though the passwords are generated client-side, so no sniffing would be possible either way).
Closed atoponce closed 5 years ago
mike-hearn
commented
5 years ago Good point. Updated to HTTPS (though the passwords are generated client-side, so no sniffing would be possible either way).
atoponce
commented
5 years ago Thanks for fixing this.
I probably should have mentioned that HTTP-only leaves the browser open to content injection attacks, which means the adversary could inject JavaScript that could sniff the generated passwords, and send them to a logging server.
The site http://useapassphrase.com really needs to be served under HTTPS, so the passphrases cannot be passively sniffed on the wire.