The Savannah login page includes a checkbox that reads "Stay in secure (https) mode after login".
Just to see what would happen, I logged in with this box unchecked. I ended up at <https://savannah.gnu.org/>. I couldn't convince Savannah and my browsers to log me in to <http://savannah.gnu.org/>. So I'm wondering, what does that checkbox do? Is there still a possibility that some communication will pass over unauthenticated channels? While logged in, I manually entered the HTTP URL and was still able to access the administration interface for a group that I administer over the unauthenticated connection.
signature.asc
Description: PGP signature
