| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
1159
|
Fri May 27 14:48:05 2005 |
 | Stefan Ritt | stefan.ritt@psi.ch | Request | | 2.5.8-6 | Re: password encryption |
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck. |
|
1160
|
Mon May 30 10:01:14 2005 |
 | Alex H | alex@synergie-inf.com | Request | | 2.5.8-6 | Re: password encryption |
| Stefan Ritt wrote: |
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck. |
Oki Thanks for the answer  .
Alex |
|
1161
|
Mon May 30 19:18:34 2005 |
 | Gary Clayson | g_clayson@sbcglobal.net | Request | Windows | 2.5.8-6 | Re: password encryption | Hello Alex and Stefan,
I know of only one way to "hide" the text of the status bar in a web browser;
use JavaScript - specifically the status method (as in the following example):
<!-- the following goes in the body of the document, perhaps in a link. -->
<!-- sample link -->
<a href="javascript://place link url here"
onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a>
<!-- place the following script in the head of the document -->
<script language="JavaScript" type="text/javascript"><!--
window.defaultStatus="Default Status Bar Text Here";
--></script>
Of course the above only works in those browsers that support javascripting,
but it is one way to hide the actual text of links from the user.
Hopefully this helps you!
Gary Clayson
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
|
|
1162
|
Mon May 30 19:56:01 2005 |
| Emiliano Gabrielli | AlberT@SuperAlberT.it | Request | Windows | 2.5.8-6 | Re: password encryption |
| Gary Clayson wrote: | Hello Alex and Stefan,
I know of only one way to "hide" the text of the status bar in a web browser;
use JavaScript - specifically the status method (as in the following example):
<!-- the following goes in the body of the document, perhaps in a link. -->
<!-- sample link -->
<a href="javascript://place link url here"
onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a>
<!-- place the following script in the head of the document -->
<script language="JavaScript" type="text/javascript"><!--
window.defaultStatus="Default Status Bar Text Here";
--></script>
Of course the above only works in those browsers that support javascripting,
but it is one way to hide the actual text of links from the user.
Hopefully this helps you!
Gary Clayson
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
|
I don't have double checked .. but .. why we need to pass the sensible information in the Query String ??
Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution? |
|
1163
|
Mon May 30 20:16:11 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | Windows | 2.5.8-6 | Re: password encryption |
| Emiliano Gabrielli wrote: |
I don't have double checked .. but .. why we need to pass the sensible information in the Query String ??
Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution? |
Hidden means only these fields are not shown in the form, but they are added to the URL in the same way as non-hidden fields. But I got another idea: I will try to use a POST form instead of the GET form. Using the POST method, fields are attached to the request and not present in the URL. Hope this will work. When I find some time to work on it I will let you know. |
|
1164
|
Tue May 31 09:07:37 2005 |
 | Alex H | alex@synergie-inf.com | Request | Windows | 2.5.8-6 | Re: password encryption | | Thanks Stefan 8) |
|
1176
|
Sat Jun 4 14:00:17 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | | 2.5.8-6 | Re: password encryption |
| Alex H wrote: | I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
I switched the login page to the HTTP "POST" method, where arguments are not passed in the URL.
The new version is under CVS. Can you try if the behaviour is better now? I upgraded also the ELOG forum, so you can try there as well. |
|
1096
|
Sun Apr 17 09:35:30 2005 |
 | Mikael Salonvaara | hmsalonv@syr.edu | Bug report | Windows | 2.5.8-4 | Mail not sent but message says it has been sent | If my email host refuses to send the email (476 connections denied), we
still get the message that the email has been sent - and no error message.
How do I or can I send authentication information to the email server? |
|