![[philiptellis]](https://en.gravatar.com/userimage/3079306/f13167d69aa4e1cb5e5f131af4e38e3e.jpeg)
- The Sign-in page is over SSL, which is good:
- The Forgot password page, where you enter your username is also over HTTPS. Not strictly required, but good all the same:
- This sends you an email with a link to reset your password. This page is not over HTTPS:
- And submitting this form also goes to a page that is not over HTTPS:
Now they put the login page on HTTPS, which shows that they want to protect the user's password from sniffing, but the password reset form, which also accepts the user's password, sends the password in clear text over HTTP. This isn't good. If you're going to protect passwords via SSL, do it everywhere. FWIW, the userid (but not the username) is also sent in this form.
Additionally, the password reset page contains JavaScript from google analytics and chartbeat. As I've written before, you shouldn't trust third party scripts. While you may choose to ignore this on most pages, pages that accept the user's credentials should be considered sacred. The user assumes that anything they enter on this page is available only to your servers. By including third party JavaScript, you're breaking that trust.
I've emailed violations@delicious.com with these details, and am awaiting a response.
Update 2012-01-25 21:08 UTC: As of this time, Delicious have fixed the core issue of the password reset page being on HTTP. Kudos to the team for acting quickly. The secondary issue of third party scripts on this page still remains, but that's a policy decision for them, and not me.
3 comments :
Thanks - I've passed this to the engineers, I think we should be able to get this fixed straight away.
Thanks Tim, I'll update the post at that time.
I've just been told it's fixed now. Thanks for reaching out to us with the issue.
Post a Comment