[Wine] WineHQ database compromise
Conan Kudo (ニール・ゴンパ)
ngompa13 at gmail.com
Tue Oct 11 17:54:26 CDT 2011
2011/10/11 Josh Juran <josh at iswifter.net>
> On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
> > On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh at iswifter.net> wrote:
> >> Since bugzilla passwords were sent in cleartext anyway, I sincerely hope
> none of them were otherwise valuable. (Remember FireSheep?)
> > Wait, what? Bugzilla sends passwords in cleartext? That isn't very
> smart... Is there no way to replace this with some sort of client based
> hashing or something?
> To clarify, your browser sends your password to bugzilla in cleartext,
> since HTTPS isn't an option.
> Firesheep was a lesson that even once passwords are secure, session
> credentials are still vulnerable to sniffing. Some sites went to HTTPS-only
> sessions after that.
Shouldn't it be possible to modify the login environment so that a salted
hash of the password is produced before sending it to the server, to
strengthen the security a little bit?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wine-devel