Details
-
Support Request
-
Resolution: Won't Fix
-
Medium
-
None
-
None
-
Jira, Confluence, Crowd, Bamboo, Fisheye, ...
Description
Would it be possible to simply encrypt the password sent to the Jira/Confluence server?
At our organization, we have "ONE SINGLE PASSWORD" for everything (which we are forced to change regularly). Our users expect to use this password everywhere (and Jira/Confluence/etc is integrated into our system via Crowd). Our security team does not like that this one single password is passed across the network in plain text by Jira/Confluence/etc, but would accept the situation if it is encrypted in some way.
For us, after authentication, encryption is neither desired nor required, nearly all data should be viewable without restriction. However for changes we prefer to know which user made them, eg who added a comment. We would rather not have to use HTTPS for everything since it adds cost in terms of additional installation/configuration and runtime overhead and we already have published URLs and tools that use only HTTP.
Possible solutions:
- Implement a separate HTTPS only login page perhaps as part of Crowd?
- Use a javascript function to make an MD5 (or other) hash using onSubmit() and send that instead? Google found http://pajhome.org.uk/crypt/md5/auth.html as an example.
Attachments
Issue Links
- relates to
-
JRASERVER-6175 Passwords sent as clear text in email
-
- Closed
-
-
CONFSERVER-4116 Support SSL for login and optional SSL for remainder of application
- Closed
-
- Closed
-
- Closed
- mentioned in
-
Page Loading...
