theonewolf/log.txt

## log.txt
→hello
→are you there?

interviewstreet: yes

→i see that you have created a website for hackers
→but you send passwords in the clear?

interviewstreet: what passwords?
interviewstreet: the activation mail doesn't contain any password

→sign up passwords
→are sent via HTTP POST
→in the clear
→x-www-form-urlencoded
→cleartext

street-support: hi

→hi so sign up passwords are sent plaintext
→via HTTP POST

street-support: yes, I believe the best we could have done is to sent it via https
street-support: are you suggesting to encrypt in clientside and send or use https?

→i would, at a minimum, force https

street-support: Yeah.. I understand.. We are in process of doing that, but the excitement to push this out and check the feedback made us post it here :)

→this means that your users are open to being hacked themselves if they use a password that they also use elsewhere
→perhaps you should warn them

street-support: We will. We are on it.

→i think because it is such a young product you should put a big red warning somewhere saying this is not ready yet and passwords *are not secured*

street-support: We will add https now.

→cool
→quick question, where are you guys based?

street-support: MV

→MV == Mountain View

street-support: Yeah..

→cool
→anyways, thanks for being responsive and not ignoring things :-)

support4: :) thanks for your feedback. SSL is going to my prodpush checklist.

→I would add a warning to your website before that occurs that passwords are not secure.  As in, have your users just use throwaway passwords.

support4: No.. checklist is for further work. Now, I'm in the process getting the SSL up and running

→SSL just needs to be used whenever passowrds are passed.
→I think you should also work on a strategy to not even send passwords in the clear.
→Also, I am assuming that your database backend is storing passwords in the clear.  They should be salted and hashed.  Otherwise they can be stolen easily.

support4: Yeah.. They are salted + hashed. SSL isn't the key we missed.

→I'm not sure I follow your English, but I'm glad they are stored more securely than they are transmitted.

support4: sorry, chatting + setting up SSL isn't really not they right way to go :) I'll set it up and come back to support.
support4: Thanks for your time.

→Sure.

## packet_capture.png

      
    Raw
  

              packet_capture.png
	→hello
	→are you there?

	interviewstreet: yes

	→i see that you have created a website for hackers
	→but you send passwords in the clear?

	interviewstreet: what passwords?
	interviewstreet: the activation mail doesn't contain any password

	→sign up passwords
	→are sent via HTTP POST
	→in the clear
	→x-www-form-urlencoded
	→cleartext

	street-support: hi

	→hi so sign up passwords are sent plaintext
	→via HTTP POST

	street-support: yes, I believe the best we could have done is to sent it via https
	street-support: are you suggesting to encrypt in clientside and send or use https?

	→i would, at a minimum, force https

	street-support: Yeah.. I understand.. We are in process of doing that, but the excitement to push this out and check the feedback made us post it here :)

	→this means that your users are open to being hacked themselves if they use a password that they also use elsewhere
	→perhaps you should warn them

	street-support: We will. We are on it.

	→i think because it is such a young product you should put a big red warning somewhere saying this is not ready yet and passwords are not secured

	street-support: We will add https now.

	→cool
	→quick question, where are you guys based?

	street-support: MV

	→MV == Mountain View

	street-support: Yeah..

	→cool
	→anyways, thanks for being responsive and not ignoring things :-)

	support4: :) thanks for your feedback. SSL is going to my prodpush checklist.

	→I would add a warning to your website before that occurs that passwords are not secure. As in, have your users just use throwaway passwords.

	support4: No.. checklist is for further work. Now, I'm in the process getting the SSL up and running

	→SSL just needs to be used whenever passowrds are passed.
	→I think you should also work on a strategy to not even send passwords in the clear.
	→Also, I am assuming that your database backend is storing passwords in the clear. They should be salted and hashed. Otherwise they can be stolen easily.

	support4: Yeah.. They are salted + hashed. SSL isn't the key we missed.

	→I'm not sure I follow your English, but I'm glad they are stored more securely than they are transmitted.

	support4: sorry, chatting + setting up SSL isn't really not they right way to go :) I'll set it up and come back to support.
	support4: Thanks for your time.

	→Sure.