GNOME Bugzilla – Bug 770774
Libre,fm sends authentication password in plaintext.
Last modified: 2016-09-03 01:22:28 UTC
Created attachment 334697 [details] https certificate warning Authentication in Libre.fm is currently done through http. Refer below: #define LIBREFM_AUTH_URL "http://alpha.libre.fm/api/auth/" POST /api/auth/?api_key=a%20string%2032%20characters%20in%20length&token=86f7910b42332cb42538e5557ff79e9c HTTP/1.1 Host: alpha.libre.fm Connection: keep-alive Content-Length: 121 Cache-Control: max-age=0 Origin: http://alpha.libre.fm ... ... Cookie: __cfduid=d0964ec2b4a3f66efd367b82b5819cf8b1472763250; PHPSESSID=i7s8lik4nheutbcdk096cuqg40 username=xxxxxxx&password=__my__plain__password__&api_key=a+string+32+characters+in+length&token=86f7910b42332cb42538e5557ff79e9cHTTP/1.1 Making the url as "https", creates a warning ( see attachment ), as the SSL certificate installed in the server is not signed by a CA ( which costs money ). It is probably self signed. This should not be resolved as NOTGNOME, as rhythmbox should at-least warn the user of the implications, if "http" is going to be the way.
(In reply to vrishab from comment #0) > This should not be resolved as NOTGNOME, as rhythmbox should at-least warn > the user of the implications, if "http" is going to be the way. this is the web browser's job. *** This bug has been marked as a duplicate of bug 768310 ***