we just discovered three things while testing our new Discourse site with the certificate created by discobot after finishing the tutorial:
- the html ‘title’ tag is “test_cert”
- the certificate can be accessed without beiing logged in to Discourse
- the certificate is created dynamically by getting the user_id within the URL. Using this anyone can go through all user_id from 1 to * and get info about all created users.
Especially the third point bothers us as we try to not publish any user info of users unless they post actively. This together with point 2 is big information leak…