[Python-ideas] Password masking for getpass.getpass
Steven D'Aprano
steve at pearwood.info
Wed Jan 13 19:47:37 EST 2016
On Thu, 14 Jan 2016 11:27 am, Chris Angelico wrote:
> On Thu, Jan 14, 2016 at 11:17 AM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>> I realize that I'm taking this thread off-topic, but yes it's
>> important that the form itself be downloaded over a secure connection.
>> If I can MitM the form response over an insecure connection, then I
>> can also MitM the form itself. And if I can do that, then I can
>> deliver exactly the form you were expecting, but with an added script
>> that will read your credit card number as you type it and then fire it
>> off to be stored on my server before you've even hit the Submit
>> button.
>
> Noscript FTW.
>
> :)
What of the poor souls who, for whatever reason, can't use NoScript?
What about those who are so frustrated with trying to get sites to work that
they just Allow All On This Page? I've seen websites that rely on anything
up to forty or fifty externally hosted scripts just to get basic
functionality. (I stopped counting after a while and just kept
clicking "Temporarily Allow...") You have external scripts calling out to
external scripts from completely different domains, each more and more
dodgy-looking than the last. And that's just the "legitimate" (for some
definition of) scripts.
--
Steven
More information about the Python-list
mailing list