[SAC] Unencrypted login to QGIS hub.qgis.org !
Alex Mandel
tech_dev at wildintellect.com
Sun Feb 24 10:40:46 PST 2013
On 02/24/2013 10:19 AM, Alex Mandel wrote:
> On 02/24/2013 03:31 AM, Martin Spott wrote:
>> Hi,
>> I planned to report a bug concerning building QGIS trunk on my (my
>> wife's) PeeCee at home and while loggin into "hub.qgis.org/login" I
>> noticed that this site:
>>
>> a) Apparently authenticates against OSGeo LDAP, but
>> b) is not capable of properly retrieving the real name and EMail
>> address from OSGeo LDAP,
>> c) does *not* enforce HTTP SSL encryption at login and, moreover
>> d) does not even *permit* HTTP SSL encryption at login.
>>
>> While b) just lets you *look* bad, c) is very bad style and d) is very
>> bad overall, because you're compromising OSGeo passwords. Please
>> *always* add proper encryption whenever authentication is affected.
>>
>> Thanks,
>> Martin.
>>
>
> Yup, I've been aware of it and have been constantly asking the qgis PSC
> to sign up for a free SSL cert from StartSSL. I can sign up for the cert
> and just have it emailed to me but much preferred that the qgis admins
> had the account it was under.
>
> Thanks,
> Alex
Now that I'm thinking about it and poking around, anyone have the
account details for where we bought the osgeo cert. I wanted to see if
that covered additional domains or not.
Thanks,
Alex
More information about the Sac
mailing list