Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #101643

Re: [Python-ideas] Password masking for getpass.getpass

Show all headers | View raw

On Thu, Jan 14, 2016 at 11:17 AM, Ian Kelly <ian.g.kelly@gmail.com> wrote:
> On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav@gmail.com> wrote:
>> You're quite probably right that obfuscating the display is security
>> theatre; but it's the security theatre that people are expecting. If
>> you're about to enter your credit card details into a web form, does
>> it really matter whether or not the form itself was downloaded over an
>> encrypted link? But people are used to "look for the padlock", which
>> means that NOT having the padlock will bother people. If you ask for a
>> password and it gets displayed, people will wonder if they're entering
>> it in the right place.
>
> I realize that I'm taking this thread off-topic, but yes it's
> important that the form itself be downloaded over a secure connection.
> If I can MitM the form response over an insecure connection, then I
> can also MitM the form itself. And if I can do that, then I can
> deliver exactly the form you were expecting, but with an added script
> that will read your credit card number as you type it and then fire it
> off to be stored on my server before you've even hit the Submit
> button.

Noscript FTW.

:)

ChrisA

Back to comp.lang.python | Previous | Next — Next in thread | Find similar | Unroll thread

Thread

Re: [Python-ideas] Password masking for getpass.getpass Chris Angelico <rosuav@gmail.com> - 2016-01-14 11:27 +1100
  Re: [Python-ideas] Password masking for getpass.getpass Steven D'Aprano <steve@pearwood.info> - 2016-01-14 11:47 +1100
    Re: [Python-ideas] Password masking for getpass.getpass Michael Torrie <torriem@gmail.com> - 2016-01-13 17:59 -0700
    Re: [Python-ideas] Password masking for getpass.getpass Marko Rauhamaa <marko@pacujo.net> - 2016-01-14 08:32 +0200

csiph-web