On Fri, 25 Jul 2008, Andreas Bauer wrote:
This is a big misunderstanding of "secure", if you ask me.
Or what do I miss? :-)
Neither build.opensuse.org nor api.opensuse.org ever get in touch with the password, it is handled by the ichain proxy. This means even if some evil person manages to infect the api/build source or the api/build server gets hacked, no passwords can be sniffed/retrieved.
This assumes, that the user recognices, that the login-page is on an different system. I doubt that. I would recognice, because the automatic password entering of my system would not work, but I would not see this, when I type it by hand. Making an login/password form on obs and let it point to the same target as the current login points to would not change the security in a measurable degree. The servers involved would not see paswords as well. Only if webpages on the obs servers are hacked, the password fields could be used in a dangerous way and in this case a dangerous login redirector could do the same. Ciao -- http://www.dstoecker.eu/ (PGP key available) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org