[liberationtech] Riseup registration process a bit odd...

Tue Oct 29 05:29:55 PDT 2013

it's https.  no-one else can see the url.

http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed

andrew

On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
> Hi All
> 
> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
> will advertise this publicly.
> 
> The registration process seems a bit odd. I get an HTTPS link to check
> my ticket.
> 
> The link looks something like
> https://user.riseup.net/ticket/******/***************************
> 
> The first set of stars is the ticket number, the second is the email
> address used to register.
> 
> I can I believe visit this link to monitor the progress of my ticket.
> However, any one on the network I used to register, and all the way
> along the internet to riseup.net can see this link, if I used TOR,
> presumably the exit node. The link reveals that I have a ticket with
> riseup and intending to register, the email I am using to register it.
> The link can then be followed by anyone who saw it along its way on
> the internet, and my ticket read with my possibly private motivation
> for doing so elaborated (does not require a login).
> 
> My link was:
> 
> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
> 
> Replace the words in square brackets with punctuation, and I invite
> you to read my motivation to open a riseup account.
> 
> I am no information security professional, so please let me know if
> anyone else thinks the registration process may be a bit insecure.
> 
> Kind regards.
> ...
> Alex Comninos | doctoral candidate
> Department of Geography | Justus Liebig University, Gießen
> http:// comninos.org | Twitter: @alexcomninos
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.