Add HTTPS (TLS) to planet.firefox.com

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
3 years ago
3 years ago

People

(Reporter: shahmeerbond, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2265] )

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36 OPR/27.0.1689.76

Steps to reproduce:

Hey there team
This is another critical issue here. The domain http://planet.firefox.com has no SSl enabled and is running wordpress,

The login panel on this domain is transferring passwords over HTTP, you can easily capture the requests using driftnet


Actual results:

The passwords are being transfered over HTTP here
http://planet.firefox.com


Expected results:

There should be SSL implemented on that domain
Moving to appropriate product -- I couldn't even see this one without admin help.
Group: websites-security
Component: Community → planet.mozilla.org
Product: Marketing → Websites

Updated

3 years ago
Group: marketing-private
No one transmits any passwords to this site over http: -- the log in is vestigial. our various "planet" servers are managed from source code checked-in securely using pre-registered SSH keys. They are read-only blog aggregation sites.
https://viewvc.svn.mozilla.org/vc/projects/planet/branches/

(yes, the viewvc site is also available over plain http:, but like planet itself that's a read-only view and it's not a security concern.)
Flags: sec-bounty?
Reed: anything more to do here?
Flags: needinfo?(reed)
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Reed: anything more to do here?

Could ask IT to add SSL, but it's completely read-only, and there's no login panel. Comment #0 is completely made up. Shahmeer, if you continue with false requests, you will be barred from any future submissions.

Moving this over to IT to see about getting SSL added for this FQDN. Also, unhiding.
Assignee: nobody → server-ops-webops
Group: websites-security
Status: UNCONFIRMED → NEW
Component: planet.mozilla.org → WebOps: SSL and Domain Names
Ever confirmed: true
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(reed)
Product: Websites → Infrastructure & Operations
QA Contact: smani

Updated

3 years ago
Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/2265]
(Reporter)

Comment 5

3 years ago
I am sorry but i have not submitted false reports, You can check back one of my report was rewarded by the Firefox team. Please do not treat me as a newbie researcher because i am not.

Thank you
(In reply to Muhammad Shahmeer from comment #5)
> I am sorry but i have not submitted false reports, You can check back one of
> my report was rewarded by the Firefox team. Please do not treat me as a
> newbie researcher because i am not.

I am well-aware of who you are, Shahmeer. I also know you're banned from submitting reports to numerous bug bounty programs because of your repeated invalid reports. Please ensure you actually are stating the truth in any future reports, or you will be banned here as well. Thanks!
Summary: Password transmitted over HTTP http://planet.firefox.com → Add HTTPS (TLS) to planet.firefox.com
(Reporter)

Comment 7

3 years ago
I don't mean to be dis respectful but i do believe my improvement is remarkable over the years and you must have observed that. Disclosing information about me here is not expected from a person of you skill set and is indeed disappointing.

As far as this issue is concerned i might have made a mistake about the login panel for which i apologize and such mistake would not be made again.
Summary: Add HTTPS (TLS) to planet.firefox.com → Password transmitted over HTTP http://planet.firefox.com
(Reporter)

Updated

3 years ago
Summary: Password transmitted over HTTP http://planet.firefox.com → Add HTTPS (TLS) to planet.firefox.com
We are not *specifically* planning to deploy HTTPS at this time for this site, and so no action is to be taken (thus WONTFIX'ing this bug). It is likely, however, that at some point in the future it will be upgraded to HTTPS due to other ongoing efforts.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.