Revise 'Weak Login Function' subcategory

I think the question of whether this is a useful bug class to customers, and whether its actually being fixed or simply being ignored, can be resolved rather easily: pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.

But I don’t think the FTP part is a very good idea, is this already being reported?

Yes

There are many more protocols that do not use encryption are we gonna put them all in the VRT and increase the farm grounds?

As long as there’s any benefit from distinguishing every single insecure protocol then yes, otherwise a protocol-agnostic entry could be a better option. It is surprising to see that this would be considered a bad thing. Aren’t we here to make our customers secure?

I still think login over http is a breeding ground for farming. It’s possible to get to the top of the monthly leaderboard with pure volume of duplicate P3’s

We have not observed it being used this way

it’s less of a hassle for them to click a “give 2 kudos points” each time rather than going through the letsencrypt process and actually setting up certificates on the 100 random hosts they have on the Internet

Please see below

pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.

That is a good idea, but as @jhaddinx mentioned the other day, the unresolved/resolved states are not an accurate way to measure what was actually fixed. We dug a little bit deeper here and actually checked what was fixed, the numbers look good and the proposed changes relate to those to some extent, with the exception of staging instances, which I would love your opinion on