Home Page Forums StayLDS Board Discussion [Moderators and Admins Only] Are emails visible in user profiles by default?

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • August 13, 2009 at 10:04 pm #204267
    Anonymous
    Guest

    I’m wondering if we should give notice if this is the case. Some people may not want their personal email to be visible.

    August 14, 2009 at 5:59 am #221391
    Anonymous
    Guest

    Orson wrote:

    I’m wondering if we should give notice if this is the case. Some people may not want their personal email to be visible.


    Yes, we should check this, and really we should give another notice. This website is not setup to use SSL encryption for authenticating. This means that every time you login your password flies over the internet in plain text. If anyone is snooping they would have your password. If you use a password that is the same as your bank, or something important, they would have access to that information. This is a major security problems. The correct solution is to at least use HTTPS (SSL encryption) for the authentication portion (or even the whole forum if it’s easier).

    August 14, 2009 at 7:25 pm #221392
    Anonymous
    Guest

    Wow, keen observation jmb. I wouldn’t have the slightest idea…

    August 15, 2009 at 10:05 pm #221393
    Anonymous
    Guest

    Orson wrote:

    Wow, keen observation jmb. I wouldn’t have the slightest idea…


    The big problem here is two fold.

    1. Those of us who are administrators should have good passwords. But whatever we choose, someone could snoop if they want to and then use our information to login as us and administer the site.

    2. Most people have a few set passwords they use everywhere. But then you run the risk of divulging a password that you use at other more critical areas of your life (like your bank). This is very bad.

    I’m not sure if we really want to set up SSL encryption on it (at least for the login pages). We can do that and it is worth investigating I think. But if we’re not interested in doing that, we should at least place a disclaimer on the forum registration telling people to not use passwords they use at other sensitive institutions. Most users have no idea about this kind of stuff and assume (erroneously) that whenever they are asked for a login it is secure (like a bank).

    As for the answer to the email question, I setup a jmb275_test account to take a look. No, people’s personal email addresses are not visible to normal Registered Users. They are visible to Administrators, and possibly Global Moderators.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.