Created
June 29, 2012 19:22
-
-
Save theonewolf/3020091 to your computer and use it in GitHub Desktop.
Conversation with Hackerrank.com Site Owners/Developers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
→hello | |
→are you there? | |
interviewstreet: yes | |
→i see that you have created a website for hackers | |
→but you send passwords in the clear? | |
interviewstreet: what passwords? | |
interviewstreet: the activation mail doesn't contain any password | |
→sign up passwords | |
→are sent via HTTP POST | |
→in the clear | |
→x-www-form-urlencoded | |
→cleartext | |
street-support: hi | |
→hi so sign up passwords are sent plaintext | |
→via HTTP POST | |
street-support: yes, I believe the best we could have done is to sent it via https | |
street-support: are you suggesting to encrypt in clientside and send or use https? | |
→i would, at a minimum, force https | |
street-support: Yeah.. I understand.. We are in process of doing that, but the excitement to push this out and check the feedback made us post it here :) | |
→this means that your users are open to being hacked themselves if they use a password that they also use elsewhere | |
→perhaps you should warn them | |
street-support: We will. We are on it. | |
→i think because it is such a young product you should put a big red warning somewhere saying this is not ready yet and passwords *are not secured* | |
street-support: We will add https now. | |
→cool | |
→quick question, where are you guys based? | |
street-support: MV | |
→MV == Mountain View | |
street-support: Yeah.. | |
→cool | |
→anyways, thanks for being responsive and not ignoring things :-) | |
support4: :) thanks for your feedback. SSL is going to my prodpush checklist. | |
→I would add a warning to your website before that occurs that passwords are not secure. As in, have your users just use throwaway passwords. | |
support4: No.. checklist is for further work. Now, I'm in the process getting the SSL up and running | |
→SSL just needs to be used whenever passowrds are passed. | |
→I think you should also work on a strategy to not even send passwords in the clear. | |
→Also, I am assuming that your database backend is storing passwords in the clear. They should be salted and hashed. Otherwise they can be stolen easily. | |
support4: Yeah.. They are salted + hashed. SSL isn't the key we missed. | |
→I'm not sure I follow your English, but I'm glad they are stored more securely than they are transmitted. | |
support4: sorry, chatting + setting up SSL isn't really not they right way to go :) I'll set it up and come back to support. | |
support4: Thanks for your time. | |
→Sure. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment