[Python-ideas] Password masking for getpass.getpass
Chris Angelico
rosuav at gmail.com
Wed Jan 13 19:27:21 EST 2016
On Thu, Jan 14, 2016 at 11:17 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
> On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav at gmail.com> wrote:
>> You're quite probably right that obfuscating the display is security
>> theatre; but it's the security theatre that people are expecting. If
>> you're about to enter your credit card details into a web form, does
>> it really matter whether or not the form itself was downloaded over an
>> encrypted link? But people are used to "look for the padlock", which
>> means that NOT having the padlock will bother people. If you ask for a
>> password and it gets displayed, people will wonder if they're entering
>> it in the right place.
>
> I realize that I'm taking this thread off-topic, but yes it's
> important that the form itself be downloaded over a secure connection.
> If I can MitM the form response over an insecure connection, then I
> can also MitM the form itself. And if I can do that, then I can
> deliver exactly the form you were expecting, but with an added script
> that will read your credit card number as you type it and then fire it
> off to be stored on my server before you've even hit the Submit
> button.
Noscript FTW.
:)
ChrisA
More information about the Python-list
mailing list