Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #101642 > unrolled thread
| Started by | Ian Kelly <ian.g.kelly@gmail.com> |
|---|---|
| First post | 2016-01-13 17:17 -0700 |
| Last post | 2016-01-14 11:33 +1100 |
| Articles | 2 — 2 participants |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: [Python-ideas] Password masking for getpass.getpass Ian Kelly <ian.g.kelly@gmail.com> - 2016-01-13 17:17 -0700
Re: [Python-ideas] Password masking for getpass.getpass Steven D'Aprano <steve@pearwood.info> - 2016-01-14 11:33 +1100
| From | Ian Kelly <ian.g.kelly@gmail.com> |
|---|---|
| Date | 2016-01-13 17:17 -0700 |
| Subject | Re: [Python-ideas] Password masking for getpass.getpass |
| Message-ID | <mailman.119.1452730710.13488.python-list@python.org> |
On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav@gmail.com> wrote: > You're quite probably right that obfuscating the display is security > theatre; but it's the security theatre that people are expecting. If > you're about to enter your credit card details into a web form, does > it really matter whether or not the form itself was downloaded over an > encrypted link? But people are used to "look for the padlock", which > means that NOT having the padlock will bother people. If you ask for a > password and it gets displayed, people will wonder if they're entering > it in the right place. I realize that I'm taking this thread off-topic, but yes it's important that the form itself be downloaded over a secure connection. If I can MitM the form response over an insecure connection, then I can also MitM the form itself. And if I can do that, then I can deliver exactly the form you were expecting, but with an added script that will read your credit card number as you type it and then fire it off to be stored on my server before you've even hit the Submit button.
[toc] | [next] | [standalone]
| From | Steven D'Aprano <steve@pearwood.info> |
|---|---|
| Date | 2016-01-14 11:33 +1100 |
| Message-ID | <5696ecd0$0$1620$c3e8da3$5496439d@news.astraweb.com> |
| In reply to | #101642 |
On Thu, 14 Jan 2016 11:17 am, Ian Kelly wrote: > On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav@gmail.com> wrote: >> You're quite probably right that obfuscating the display is security >> theatre; but it's the security theatre that people are expecting. If >> you're about to enter your credit card details into a web form, does >> it really matter whether or not the form itself was downloaded over an >> encrypted link? But people are used to "look for the padlock", which >> means that NOT having the padlock will bother people. If you ask for a >> password and it gets displayed, people will wonder if they're entering >> it in the right place. > > I realize that I'm taking this thread off-topic, but yes it's > important that the form itself be downloaded over a secure connection. Not just off-topic, but off-list. You appear to have replied to the wrong mailing list :-) > If I can MitM the form response over an insecure connection, then I > can also MitM the form itself. And if I can do that, then I can > deliver exactly the form you were expecting, but with an added script > that will read your credit card number as you type it and then fire it > off to be stored on my server before you've even hit the Submit > button. -- Steven
[toc] | [prev] | [standalone]
Back to top | Article view | comp.lang.python
csiph-web