[SAC] Unencrypted login to QGIS hub.qgis.org !
Alex Mandel
tech_dev at wildintellect.com
Sun Feb 24 10:19:20 PST 2013
On 02/24/2013 03:31 AM, Martin Spott wrote:
> Hi,
> I planned to report a bug concerning building QGIS trunk on my (my
> wife's) PeeCee at home and while loggin into "hub.qgis.org/login" I
> noticed that this site:
>
> a) Apparently authenticates against OSGeo LDAP, but
> b) is not capable of properly retrieving the real name and EMail
> address from OSGeo LDAP,
> c) does *not* enforce HTTP SSL encryption at login and, moreover
> d) does not even *permit* HTTP SSL encryption at login.
>
> While b) just lets you *look* bad, c) is very bad style and d) is very
> bad overall, because you're compromising OSGeo passwords. Please
> *always* add proper encryption whenever authentication is affected.
>
> Thanks,
> Martin.
>
Yup, I've been aware of it and have been constantly asking the qgis PSC
to sign up for a free SSL cert from StartSSL. I can sign up for the cert
and just have it emailed to me but much preferred that the qgis admins
had the account it was under.
Thanks,
Alex
More information about the Sac
mailing list