[Python-ideas] Password masking for getpass.getpass
Ian Kelly
ian.g.kelly at gmail.com
Wed Jan 13 19:17:42 EST 2016
On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav at gmail.com> wrote:
> You're quite probably right that obfuscating the display is security
> theatre; but it's the security theatre that people are expecting. If
> you're about to enter your credit card details into a web form, does
> it really matter whether or not the form itself was downloaded over an
> encrypted link? But people are used to "look for the padlock", which
> means that NOT having the padlock will bother people. If you ask for a
> password and it gets displayed, people will wonder if they're entering
> it in the right place.
I realize that I'm taking this thread off-topic, but yes it's
important that the form itself be downloaded over a secure connection.
If I can MitM the form response over an insecure connection, then I
can also MitM the form itself. And if I can do that, then I can
deliver exactly the form you were expecting, but with an added script
that will read your credit card number as you type it and then fire it
off to be stored on my server before you've even hit the Submit
button.
More information about the Python-list
mailing list