1198886 - Add HTTPS (TLS) to planet.firefox.com

Status: RESOLVED INCOMPLETE

(Infrastructure & Operations :: SSL Certificates, task)

Description

[Muhammad Shahmeer]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76

Steps to reproduce:

Hey there team
This is another critical issue here. The domain http://planet.firefox.com has no SSl enabled and is running wordpress,

The login panel on this domain is transferring passwords over HTTP, you can easily capture the requests using driftnet


Actual results:

The passwords are being transfered over HTTP here
http://planet.firefox.com


Expected results:

There should be SSL implemented on that domain

Comment 1

[Daniel Veditz [:dveditz]]

Moving to appropriate product -- I couldn't even see this one without admin help.

Comment 2

[Daniel Veditz [:dveditz]]

No one transmits any passwords to this site over http: -- the log in is vestigial. our various "planet" servers are managed from source code checked-in securely using pre-registered SSH keys. They are read-only blog aggregation sites.
https://viewvc.svn.mozilla.org/vc/projects/planet/branches/

(yes, the viewvc site is also available over plain http:, but like planet itself that's a read-only view and it's not a security concern.)

Comment 3

[Daniel Veditz [:dveditz]]

Reed: anything more to do here?

Comment 4

[Reed Loden [:reed]]

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Reed: anything more to do here?

Could ask IT to add SSL, but it's completely read-only, and there's no login panel. Comment #0 is completely made up. Shahmeer, if you continue with false requests, you will be barred from any future submissions.

Moving this over to IT to see about getting SSL added for this FQDN. Also, unhiding.

Comment 5

[Muhammad Shahmeer]

I am sorry but i have not submitted false reports, You can check back one of my report was rewarded by the Firefox team. Please do not treat me as a newbie researcher because i am not.

Thank you

Comment 6

[Reed Loden [:reed]]

(In reply to Muhammad Shahmeer from comment #5)
> I am sorry but i have not submitted false reports, You can check back one of
> my report was rewarded by the Firefox team. Please do not treat me as a
> newbie researcher because i am not.

I am well-aware of who you are, Shahmeer. I also know you're banned from submitting reports to numerous bug bounty programs because of your repeated invalid reports. Please ensure you actually are stating the truth in any future reports, or you will be banned here as well. Thanks!

Comment 7

[Muhammad Shahmeer]

I don't mean to be dis respectful but i do believe my improvement is remarkable over the years and you must have observed that. Disclosing information about me here is not expected from a person of you skill set and is indeed disappointing.

As far as this issue is concerned i might have made a mistake about the login panel for which i apologize and such mistake would not be made again.

Comment 8

[:Atoll]

We are not *specifically* planning to deploy HTTPS at this time for this site, and so no action is to be taken (thus WONTFIX'ing this bug). It is likely, however, that at some point in the future it will be upgraded to HTTPS due to other ongoing efforts.