[Python-ideas] Password masking for getpass.getpass
Steven D'Aprano
steve at pearwood.info
Wed Jan 13 19:33:18 EST 2016
On Thu, 14 Jan 2016 11:17 am, Ian Kelly wrote:
> On Wed, Jan 13, 2016 at 3:19 AM, Chris Angelico <rosuav at gmail.com> wrote:
>> You're quite probably right that obfuscating the display is security
>> theatre; but it's the security theatre that people are expecting. If
>> you're about to enter your credit card details into a web form, does
>> it really matter whether or not the form itself was downloaded over an
>> encrypted link? But people are used to "look for the padlock", which
>> means that NOT having the padlock will bother people. If you ask for a
>> password and it gets displayed, people will wonder if they're entering
>> it in the right place.
>
> I realize that I'm taking this thread off-topic, but yes it's
> important that the form itself be downloaded over a secure connection.
Not just off-topic, but off-list. You appear to have replied to the wrong
mailing list :-)
> If I can MitM the form response over an insecure connection, then I
> can also MitM the form itself. And if I can do that, then I can
> deliver exactly the form you were expecting, but with an added script
> that will read your credit card number as you type it and then fire it
> off to be stored on my server before you've even hit the Submit
> button.
--
Steven
More information about the Python-list
mailing list