- From: PhistucK <phistuck@gmail.com>
- Date: Sat, 26 Apr 2014 13:05:33 +0300
- To: Jonathan Garbee <jonathan.garbee@gmail.com>
- Cc: WebPlatform Community <public-webplatform@w3.org>
- Message-ID: <CABc02_KxJMBeUnt0-VQPqfvEFJOEy-+mCvGj5NuWT7_q3i7Z9g@mail.gmail.com>
On the subject of HTTPS, I submitted a pull request that changes hRef values to be protocol agnostic (// instead of http://) for the skin. There are probably more places that should be converted, but it is a start. However, without a proper certificate, no one will use the HTTPS version, which is currently certified for *.ssl.fastly.net and thus generates a certificate error and a warning interstitial. We should not only (really) support HTTPS, but also require it. Especially when logged in. ☆*PhistucK* On Sat, Apr 26, 2014 at 12:07 PM, Jonathan Garbee <jonathan.garbee@gmail.com > wrote: > Yea, people shouldn't consider an email informing them of a more secure > password storage system being put in place and that they would need to > update it as spam. It they do then that is pretty stingy. It is a > completely valid security issue that they should be aware of. > > The confusion can be mitigated with doing what Jen mentioned. So an email > to everyone explaining the upgraded encryption mechanism and the advantages > the new SSO system provides. In that, state clearly that passwords should > be reset manually (if we can with a link to the reset with an expire time > of like a week.) > > Another thing is, the SSO login should be done over HTTPS from the start. > Especially with resets considering we have been HTTP only since launch. If > this is done (which it really should, some devs haven't signed up for an > account simply because HTTPS isn't in use) then it would make another good > point to hit in an announcement email and blog post. > > -Garbee > > > On Fri, Apr 25, 2014 at 8:07 PM, Jen Simmons <jen@jensimmons.com> wrote: > >> I think if we simply ask all users to reset their password as part of a >> big announcement of single-sign-on — that'll be fine. Could actually be >> very good, since it'll bring to mind for everyone that now they have *one* >> password for all WPD stuff. Anyone who currently has multiple logins & >> passwords — which might not match — those people could easily be confused >> after SSO is deployed if there is no reset required. Heartbleed will make >> this less painful. Everyone's used to getting password resets for security >> reasons right now. I think we shouldn't just make it seem like a security >> thing, however. We should use it as a Big Announcement. >> >> The password reset will happen *after* the rollout? Only once? I think >> that would be ideal. >> >> It would be great if we could get metrics on this as it happens. How many >> users do reset vs how many don't?? If we can. >> >> Jen >> >> Jen Simmons >> designer, consultant and speaker >> host of The Web Ahead >> jensimmons.com >> 5by5.tv/webahead >> twitter: jensimmons <http://twitter.com/jensimmons> >> >> >> >> On Fri, Apr 25, 2014 at 7:57 PM, Doug Schepers <schepers@w3.org> wrote: >> >>> Hi, folks– >>> >>> Renoir is in the middle of setting up a new accounts system to enable >>> Single Sign-On (SSO) across the different applications for WebPlatform >>> (starting with the wiki and the annotation system, then later the blog and >>> the issue tracker). This new system should also be somewhat more secure and >>> easier to manage. We will likely deploy the new system in May. >>> >>> One of the decisions we have to make is how to handle the passwords of >>> existing accounts; the question is whether we attempt to import and manage >>> the passwords automatically (there are some technical challenges there, >>> because passwords are stored encrypted), or if we can simply ask users to >>> reset their passwords. >>> >>> Pros: >>> 1) it's less work for Renoir, giving him more time to solve other >>> problems >>> 2) in the wake of the Heartbleed bug, it's good practice for people to >>> reset their password >>> 3) it will give us a chance to remind and reconnect people to the >>> project (by emailing them to ask them to reset their password) >>> 4) it's a relatively small and easy thing to ask people to do >>> 5) it gives us the opportunity to weed out some spambots >>> 6) (anything else??) >>> >>> Cons: >>> 1) it is more inconvenient for our users >>> 2) some people may be confused by the change >>> 3) some people might be annoyed by us "spamming" them with an update >>> request >>> 4) anything else?? >>> >>> As you can see, currently I favor asking our users to change their >>> passwords. I had a hard time coming up with cons, which is why I'm asking >>> y'all in the community, to make sure I'm not missing anything. >>> >>> Thoughts? >>> >>> Thanks- >>> -Doug >>> >>> >> >
Received on Saturday, 26 April 2014 10:06:41 UTC