[Pharo-users] Insecure issue tracker registration

Ben Coman btc at openinworld.com
Wed Jun 13 10:22:31 EDT 2018


On 13 June 2018 at 16:25, Manuel Leuenberger <leuenberger at inf.unibe.ch>
wrote:

> Hi,
>
> I announced my concerns on Discord already, but got no reaction, so I post
> it here as well to have it properly archived.
>
> "A colleague just noticed that the registration for the issue tracker is
> HTTP-only. This is not an appropriate choice for sensitive data like a
> password. Any possibilities to make this HTTPS-only?
> Link: http://tracker.pharo.org/issues-register-service, setting https://
> manually does not work"
>
> From my perspective this is a serious problem that should be quickly
> addressed, it's not just a nice to have feature. Not treating sensitive
> data with proper care leaves an image of not caring about user security and
> looks unprofessional. I don't think that is what Pharo needs.


Thanks for raising this.  You're concerns are valid, but in the meantime
until someone can change it to https,
just use a temporary password and immediately change it the first time you
log onto Fogbugz - which is a https service.

@all,  If its difficult to add https to it, then perhaps at least a not can
be added to advise using a temporary password.

cheers -ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pharo.org/pipermail/pharo-users_lists.pharo.org/attachments/20180613/ff6d8e65/attachment.html>


More information about the Pharo-users mailing list