[feature-proposal] Forgot password improvements

Ewout ter Haar ewout at usp.br
Mon Nov 11 21:08:31 BRST 2013 

Only for those users who share (the value of) two identifiers that the
admin of the noosfero instance chose to activate.

Can we get some perspective, please? Some clear-headed balancing of
the trade-offs?

Ewout


http://social.stoa.usp.br/ewout
F. 30916696


On Mon, Nov 11, 2013 at 7:28 PM, Rodrigo Souto <rodrigo at colivre.coop.br> wrote:
> Indeed...
>
> If there are private confirmation fields (email itself is private by
> default now) we would leak this information through this form.
>
> Aurelio Heckert escreveu isso ai:
>> Nop...
>>
>> If you can use a piece of CPF or telephone to find a user (as you
>> can use a piece of the name) you can use brute force to discover a
>> collection of CPF/Tel/* and the owner names.
>>
>> I believe we must consider any privacy risk a tragic event, as
>> "privacy destroying".
>>
>>  Aurium
>>
>> On 11-11-2013 15:24, Ewout ter Haar wrote:
>> >In case of n>1, just returning the complete name and maybe the
>> >avatar for disambiguation should be enough and not "privacy
>> >destroying". This is all public information in Noosfero:
>> >http://social.stoa.usp.br/search/people?query=jose
>> >
>> >Off course, a rate-limit system that detects and blocks multiple
>> >password recovery attempt would be nice...
>> >
>> >Ewout
>> >
>> >http://social.stoa.usp.br/ewout <http://stoa.usp.br/ewout>
>> >F. 30916696
>> >
>> >
>> >On Mon, Nov 11, 2013 at 4:08 PM, "Aurélio A. Heckert"
>> ><aurelio at colivre.coop.br <mailto:aurelio at colivre.coop.br>> wrote:
>> >
>> >    Hey Wait!!!
>> >
>> >    This Facebook do not "returns back with the profile info (photo,
>> >    name etc) asking you to confirm if that's you." today.
>> >
>> >    That is a machine to destroy _privacy_. You can't display the
>> >    found profiles with some related data or someone can discover
>> >    sensible information with _brute force_.
>> >
>> >    Today Facebook asks for other information while it finds more then
>> >    one profile (if i understand it right).
>> >
>> >     Aurium
>> >
>>
>> --
>>
>> *Aurélio A. Heckert (aka Aurium)*
>> http://softwarelivre.org/aurium
>> *COLIVRE --- Coop. de Tecnologias Livres*
>> http://colivre.coop.br
>>
>> *Inkscape* --- Desenhe Livremente
>> http://inkscapeBrasil.org
>
>> _______________________________________________
>> Noosfero-dev mailing list
>> Noosfero-dev at listas.softwarelivre.org
>> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/noosfero-dev
>
>
> --
> Rodrigo Souto <rodrigo at colivre.coop.br> :: 55 71 8131-7714
> Colivre - Cooperativa de Tecnologias Livres
> http://www.colivre.coop.br/
>
> _______________________________________________
> Noosfero-dev mailing list
> Noosfero-dev at listas.softwarelivre.org
> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/noosfero-dev
>

More information about the Noosfero-dev mailing list