OK - clearly removing the password was not a good idea. I want to break this down into three issues.
Issue 1. Are we using a secure server for the login to rrc.tucows.com The answer is yes - the actual url for the server is https://rrc.tucows.com/ Therefore proper authentication and encryption is being observed. Issues 2. Removing the password unintentially allows the login to be used to test user names. We can put the password back tomorrow. It was removed for other reasons, but given the severity of this - this can be done tomorrow. Issue 3. Integration for the RRC content into the RWI and the usability of the RWI. This is currently an active probject, but as you can imagine one that will take time. Creating the RRC is actually an interim step to allowing access to the documentation and other tools via a revamped RWI with better usability. Password going back up tomorrow as soon as we re-establish the database. Jacqui Cook Tucows -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Winston Neutel Sent: Wednesday, October 22, 2003 4:51 PM To: [EMAIL PROTECTED] Subject: Re: Now, who came up with THIS ? On Wednesday, October 22, 2003 2:31 PM [EDT], Kai Schaetzl <[EMAIL PROTECTED]> wrote: >> Tucows is pleased to announce that we have streamlined access to >> the Reseller Resource Center (RRC). Effective immediately, >> Resellers can sign-in using their user name only. The password >> is no longer required. [snip] > > What the heck is this supposed to be good for? It took me TWO > guesses to guess the username of a member of this list and get > in. Username verified, now up for brute-forcing the password ... And what purpose does this serve anyway? If the password is not required, why not just track the user with a cookie? Why is the username needed?
