[Wine] WineHQ database compromise

Marcus Meissner marcus at jet.franken.de
Wed Oct 12 22:44:38 CDT 2011


On Thu, Oct 13, 2011 at 10:23:58AM +0200, Maarten Lankhorst wrote:
> Hey,
> 
> On 10/12/2011 12:46 AM, Josh Juran wrote:
> > On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:
> >
> >> On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh at iswifter.net> wrote:
> >>
> >>> Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable.  (Remember FireSheep?)
> >> Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart... Is there no way to replace this with some sort of client based hashing or something?
> > To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.
> >
> > Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.
> >
> If I go to any https://*.winehq.org website I get the certificate for test.winehq.org , otherwise you could use the firefox https anywhere to force https on.
> 
> Or better yet, force automatic redirect to https, with Strict-Transport-Security:
> https://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/
> 
> If winehq can't get more ips for every subdomain (ssl sucks), would the solution be moving it to https://winehq.org/{bugs,appdb,test,source} ?

Or a wildcard SSL cert for *.winehq.org.

Ciao, Marcus



More information about the wine-users mailing list