On Fri, Jun 30, 2017 at 01:54:45AM -0400, Ineiev wrote: > On Thu, Jun 29, 2017 at 06:21:22PM -0600, Bob Proulx wrote: > > Ineiev wrote: > > > In savane/frontend/php/account/register.php, I see a message > > > like "For better security we advise you to change your password > > > as soon as possible." (it's sent in the confirmation message). ... > > The link sent to you by email may be easedropped upon. But when you > > connect with https then if you trust the CA (certificate authority) > > that signed the https certificate (historically there have been > > problems with that) then you can trust that your connection to the > > site is secure. Changing your password over https should be very > > secure. More so than if anything is sent to you by email. > > > > Also I will note that there have been some incidents at other sites > > where SMS text messages were subverted. Therefore SMS tokens are not > > good security either. > > The registration form (including the password) is sent over HTTPS, > so it should be equally secure. plain-text email isn't secure, > and I can see how it could be used to register with other person's > email account, but it isn't clear to me how one could use the hash > to compromise the password.
If we can't find the reason, I'd suggest to replace that notice with a recommendation to register a GPG key like "For better security we advise you to register an encryption-capable GPG key and enable sending password reset messages encrypted; in which case, be sure to request a reset and check that you actually can read those messages."
signature.asc
Description: Digital signature