Quote:
Originally Posted by eschwartz
(I thought calibre plugins are mirrored on the calibre website. So at least it is only vulnerable between your server and MobileRead, when you scrape the index for updates. At least that is my justification for saying Debian is silly for calling the plugin updater a massive security hole and disabling it universally.)
|
calibre plugins are (the lack of https was one of my primary motivations in setting up the mirror in the first place), but Sigil plugins are not. And generally speaking, not using https does not fill me with confidence with regard to account security. For instance, the other day I spent some time looking into how logins are implemented here, and what happens is that javascript running on the client side hashes the password you enter, replaces it in the form field and the form is then submitted to the server. So if you happen to log in to MR with JS disabled, it will leak your password in plaintext. Not to mention that it is trivial for a MITM attacker to steal your password by simply injecting a bit of malicous JS into the page served over HTTP.
@WT Sharpe: I am sure Alex reads this forum. He has posted here a few days back.