[MBS-2411] Login page should be encrypted (SSL/TLS) - MetaBrainz Tickets

Type: Improvement
Resolution: Fixed
Priority: Normal
Fix Version/s: 2013-07-22
Affects Version/s: None
Component/s: Accounts, Admin
Labels:
- HTTPS

The page where a user submits their username and password should be handled through HTTPS, to reduce the chance of username and passwords being intercepted, particularly when users are logging in at public hotspots over WiFi.

Given that other sites like GMail and Facebook are now encrypting their entire traffic to overcome Firesheep (http://en.wikipedia.org/wiki/Firesheep) session cookie cloning attacks, it's seems very poor practice that passwords are being sent apparently in plain text.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

musicbrainz_password_in_transit.png
3 kB
2012-06-07 20:54

depends on

MBH-249 SSL capability

Closed

MBS-5122 Use scheme relative links to support https

Closed

has related issue

IMG-68 4 or 5 seconds latency on HTTPS-CAA image loading (instead of none)

Closed

MBS-5298 WikiDocs links are not scheme-independent

Closed

MBS-5301 gravatars do not get loaded over SSL when they should be

Closed

MBS-5347 acoustid API isn't available nor requested over https, so on https musicbrainz-server acoustids don't appear

Closed

MBS-6701 Now being shifted around from http to https

Closed

PICARD-337 Allow using encrypted connection to mb.org

Closed

MBS-5339 Cover Art should be loaded over SSL where possible

Closed

MBS-357 Don't store passwords in clear text

Closed

is a dependency of

MBS-6711 not redirected to HTTPS login page

Closed

is duplicated by

MBS-3631 Allow login vis SSL

Closed

(5 has related issue, 1 is a dependency of, 1 is duplicated by)

Loading...

Type: Improvement
Resolution: Fixed
Priority: Normal
Fix Version/s: 2013-07-22
Affects Version/s: None
Component/s: Accounts, Admin
Labels:
- HTTPS

The page where a user submits their username and password should be handled through HTTPS, to reduce the chance of username and passwords being intercepted, particularly when users are logging in at public hotspots over WiFi.

Given that other sites like GMail and Facebook are now encrypting their entire traffic to overcome Firesheep (http://en.wikipedia.org/wiki/Firesheep) session cookie cloning attacks, it's seems very poor practice that passwords are being sent apparently in plain text.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

musicbrainz_password_in_transit.png
3 kB
2012-06-07 20:54

depends on

MBH-249 SSL capability

Closed

MBS-5122 Use scheme relative links to support https

Closed

has related issue

IMG-68 4 or 5 seconds latency on HTTPS-CAA image loading (instead of none)

Closed

MBS-5298 WikiDocs links are not scheme-independent

Closed

MBS-5301 gravatars do not get loaded over SSL when they should be

Closed

MBS-5347 acoustid API isn't available nor requested over https, so on https musicbrainz-server acoustids don't appear

Closed

MBS-6701 Now being shifted around from http to https

Closed

PICARD-337 Allow using encrypted connection to mb.org

Closed

MBS-5339 Cover Art should be loaded over SSL where possible

Closed

MBS-357 Don't store passwords in clear text

Closed

is a dependency of

MBS-6711 not redirected to HTTPS login page

Closed

is duplicated by

MBS-3631 Allow login vis SSL

Closed

(5 has related issue, 1 is a dependency of, 1 is duplicated by)

Assignee:: Kuno Woudt

Reporter:: Anonymous

Votes:: 9 Vote for this issue

Watchers:: 6 Start watching this issue

Due:: 2012-09-11

Created:: 2011-05-30 11:15

Updated:: 2020-02-15 10:03

Resolved:: 2013-07-22 12:40

Version	Package
2013-07-22

Details

Description

Attachments

Attachments

Issue Links

Activity

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Packages

People

Dates

Packages