Hey folks,
I have a fairly simple request but it's a rather breaking issue for keeping my jabber server secure and preventing bot registrations:
The registration plugin offers web registration and reCAPTCHA in it, but it only works over unencrypted http. Since people are posting their proposed passwords when registering, it's important that someone can't snoop on that.
However, adding the reCAPTCHA challenge doesn't work over https - Google supports https requests but the registration plugin only supports http.
A simple solution would be to remove the http: protocol header and use a URL similar to:
//api.recaptcha.net/challenge?k=nnnnnnnnnnnnnnnnnn
instead of adding http: -- any recent browser will understand a URL with // at the start without a protocol, and will automatically use the protocol that was used previously (http or https). Alternatively, the plugin could check internally which port was used (9090 or 9091)?