On Sun, Oct 09, 2016 at 11:01:33 +0000, Juuso Lapinlampi wrote: > I still don't like the idea of having login pages (or login session > cookies) reachable over HTTP.
It is also worth noting that Firefox will soon display websites that serve login forms over HTTP as insecure: https://hacks.mozilla.org/2016/01/login-forms-over-https-please/ I agree that in modern times it is irresponsible to serve login forms over a plaintext connection, but I'm not crying bad intent or negligence here---now that we're aware of the issue, it just needs a slight change. In the case of Savannah, if the user loads the page over HTTPS, they will be served the login form over HTTPS. That's good, but a redirect should still otherwise happen. I say this because it is also important to note that it is not an option to use Tor to log into a website using a plaintext HTTP connection---that allows malicious exit nodes to harvest account information. So the simple change here is to add a webserver redirect to ensure that the login form always redirects to HTTPs (/account/login.php). The EFF's HTTPS Everywhere plugin was created to help to mitigate this issue (sites supporting HTTPS serving HTTP as well), as it is widespread. I use it, which is why I never noticed the issue on Savannah. The better option is to simply drop HTTP support on Savannah entirely and always redirect. Going back to Tor: it's also not wise to use Savannah over HTTP when logged in over Tor, because a malicious node could hijack your session. This is also true for any other MITM, which is trivial and undetectable over HTTP. Richard: unless there's a compelling reason not to, I think the sysadmins or Savannah hackers (whomever has the ablity) should just add a webserver rule to redirect all requests on port 80 to 443. Ideally, the HSTS header could be added at the same time, since that was created to mitigate the issue of HTTP requests accidentally being made. For example, if the login form was loaded over HTTPS, but accidentally posts to an HTTP link, then those login data will be first posted in plaintext, before then being redirected (and reposted) over a secure connection. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: 2217 5B02 E626 BC98 D7C0 C2E5 F22B B815 8EE3 0EAB https://mikegerwitz.com
signature.asc
Description: PGP signature