@yamlfd opened this Issue on September 26th 2014

http://developer.piwik.org/api-reference/tracking-javascript#user-id and some other pages document people should use username and email address for userid. That is a serious security flaw and will lead to dataprotection troubles. Normally login forms and personal data must always posted/transfered via SSL protected forms as these tell pyring eyes at least one or two factors of a login credential.

If people add the email as userid these will also be added to non-ssl pages what is a serious data protection issue on unencrypted wires.

People should always use a uuid or hashing the username/email, but never use the real value.

Please remove all these documentation references and make clear people should never use these raw values.

@mattab commented on September 30th 2014 Owner

make clear people should never use these raw values.

there are many cases where usernames are already in the webpages content eg. in JS variables or in the DOM. Same with email address. So "should never" is wrong here.

in general it is responsability of each webmaster to measure their data securely. I hope that most people who have a login form on their website will deliver all pages once user is logged-in via SSL. If they don't then it would leak the auth cookie which is much worse than leaking username or email.

So the point of unencrypted wires for User ID does not make a lot of sense since User ID will only be used when users are logged -in which should be done securely to ensure safety of auth cookie.

@mattab commented on September 30th 2014 Owner

It would be possible to update the documentation to explain this, if you care about this please issue a pull request on this page: https://github.com/piwik/developer-documentation/blob/master/docs/tracking-javascript.md

@yamlfd commented on September 30th 2014

I'm sorry, but this is not correct. Well if a user logs in it will be encrypted, but if I make one more click I'm on HTTP and no longer on HTTPS. It's not required to stay at SSL after a login. You only need to protect the login itself.

With your documentation people will start using email address as UserID and this is always send over the wire unencrypted.

The session cookie will be destroyed after I hit logout or after time. My Emailaddress is not destroyed after I hit the logout button.

@mattab commented on September 30th 2014 Owner

You only need to protect the login itself.

no you need to also protect pages once you are logged-in, otherwise the session cookie will be stealable by a man-in-the-middle attack (similar attack that would reveal username/email as you point out)

My Emailaddress is not destroyed after I hit the logout button.

What do you mean?

This Issue was closed on September 30th 2014
Powered by GitHub Issue Mirror