[liberationtech] Riseup registration process a bit odd...

[Alex Comninos]

Thanks Andrew for clarifying this.

I always wondered if the actual URL was encrypted.

The link did expire very quickly (started to ask for a password in
under 15 minutes) after I tried it from multiple locations.

Sorry for wasting your time

Kind regards,
Alex

On 29 October 2013 13:01, Alex Comninos <alex.comninos at gmail.com> wrote:
> Hi All
>
> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
> will advertise this publicly.
>
> The registration process seems a bit odd. I get an HTTPS link to check
> my ticket.
>
> The link looks something like
> https://user.riseup.net/ticket/******/***************************
>
> The first set of stars is the ticket number, the second is the email
> address used to register.
>
> I can I believe visit this link to monitor the progress of my ticket.
> However, any one on the network I used to register, and all the way
> along the internet to riseup.net can see this link, if I used TOR,
> presumably the exit node. The link reveals that I have a ticket with
> riseup and intending to register, the email I am using to register it.
> The link can then be followed by anyone who saw it along its way on
> the internet, and my ticket read with my possibly private motivation
> for doing so elaborated (does not require a login).
>
> My link was:
>
> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
>
> Replace the words in square brackets with punctuation, and I invite
> you to read my motivation to open a riseup account.
>
> I am no information security professional, so please let me know if
> anyone else thinks the registration process may be a bit insecure.
>
> Kind regards.
> ...
> Alex Comninos | doctoral candidate
> Department of Geography | Justus Liebig University, Gießen
> http:// comninos.org | Twitter: @alexcomninos