Mantis login page not using SSL

Today I wanted to report some bugs in Mantis, but Firefox shows me that the page doesn’t allow a secure connection (HTTPS).

I don’t want to risk my password leaked, so I’m waiting for this problem to be fixed.

http://tracker.ardour.org/login_page.php

just curious, what do you imagine would happen if your password was “leaked” ? also, it seems way more likely that it would be leaked via someone getting into the host than via you logging in.

@paul

While the basic premise is correct, many people reuse passwords (Actually probably worse these days than having a ‘somewhat’ simple password) so that if their password is transmitted over plaintext, it is open to interception by anyone in transit obviously. It wouldn’t take much for a compromised point in the chain to run a script looking for basic form input from fields such as ‘password’.

So while your basic point is correct, or more accurately these days it is more likely to be from leaking in a different manner, it is a decidedly non-zero issue. I have had passwords ‘leaked’ from open hotel WiFi for instance, where anyone that knows what they are doing can run wireshark on all traffic and look for the above (Had to call and have someone else change my password, which is dangerous as I usually have administrative privileges over many domains, thankfully I don’t reuse passwords, I am a bit more careful these days because of this). Conventions/Hotels/etc. are notorious for this in fact.

Any open access point in particular is very susceptible to this, and those are still exceedingly common.

Though all that being said, reuse of passwords is probably far more dangerous these days, as more large targets are cracked, and even if the password dump is encrypted, given time any password can be cracked, though obviously the more complex the password the longer it takes to where it can become a zero sum game, but as time goes on that complexity in itself gets more and more difficult to keep it in that range.

Obligitory XKCD ‘Correct Horse Battery Staple’ here. If you (Others, I know Paul knows) don’t know what that is I encourage googling:)

             Seablade

Bump? Looks like the whole ardour.org domain is not using secure connections.
Can anyone confirm this?

ardour.org and community.ardour.org both use (and default to) SSL via https://

tracker.ardour.org does not.

@unfa

My experience matches what Paul has described, what do you see that makes you think they are not using a secure connection?

I am wondering if you are referring to ‘mixed content’ delivery, where the web page and most of it is being served over HTTPS, but there are a couple of profile images and the Google Search box which are not according to what I am seeing. Those however should not in any way affect the ability to securely utilize the site, but would be a concern if you were concerned about people knowing exactly what you were doing (Not sure I know of anywhere browsing Ardour.org or searching it via Google through the search box would be an issue for that)

          Seablade

Thanks.

That seems like it. I get a Firefox notification that “parts of this page are not secure (such as images)” while on community.ardour.org or ardour.org.
While on tracker.ardour.org I see a stronger warning that says “page is not secure” and “logins on this page could be compromised”. I used to ignore these kinds of warnings, but I recently learned how easily one could intercept password in plaintext using opensource hacking tools.

Is there a particular reason why tracker.ardour.org doesn’t use SSL?

No, just historical.