Revise 'Weak Login Function' subcategorySee original GitHub issue
As discussed in #127 it was decided to keep current P3 severity rating of
Broken Authentication and Session Management >
Weak Login Function >
Over HTTP. However the discussion provoked a more in depth analysis of how the VRT addresses this issue. As a result we would like to propose a more granular classification. Please see the image with two potential options:
As always all feedback is appreciated!
- Created 6 years ago
- Comments:19 (9 by maintainers)
Top GitHub Comments
I think the question of whether this is a useful bug class to customers, and whether its actually being fixed or simply being ignored, can be resolved rather easily: pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.
But I don’t think the FTP part is a very good idea, is this already being reported?
There are many more protocols that do not use encryption are we gonna put them all in the VRT and increase the farm grounds?
As long as there’s any benefit from distinguishing every single insecure protocol then yes, otherwise a protocol-agnostic entry could be a better option. It is surprising to see that this would be considered a bad thing. Aren’t we here to make our customers secure?
I still think login over http is a breeding ground for farming. It’s possible to get to the top of the monthly leaderboard with pure volume of duplicate P3’s
We have not observed it being used this way
it’s less of a hassle for them to click a “give 2 kudos points” each time rather than going through the letsencrypt process and actually setting up certificates on the 100 random hosts they have on the Internet
Please see below
pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.
That is a good idea, but as @jhaddinx mentioned the other day, the unresolved/resolved states are not an accurate way to measure what was actually fixed. We dug a little bit deeper here and actually checked what was fixed, the numbers look good and the proposed changes relate to those to some extent, with the exception of staging instances, which I would love your opinion on