ACME: Do not show passwords
Those DNS validation methods that uses ordinary username/password for authentication (such as DNS-GratisDNS) should not expose the entered password, but instead only allow to overwrite the current.
#2 Updated by Jim Pingle about 1 month ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in ACME package version 0.6.5
As well as it can be in the current framework anyhow. Passwords and other sensitive fields are not shown in the list, and when editing, the fields are masked.
The user could still inspect the form element and see the value, but it would take a lot more to hide it deeper (like in the current standard pfSense password controls) since this does not use the functions from the framework which handle that feature.
This should be good enough, however. If you don't trust a user to see that data, they shouldn't have enough privileges to edit the certificate page.