260749 - bonsai buglinks don't use HTTPS

Status: VERIFIED FIXED

(mozilla.org Graveyard :: Server Operations, task)

Description

[Christian :Biesinger (don't email me, ping me on IRC)]

the buglinks from bonsai are still using http instead of https; using https
would avoid sending the logincookie over an unencrypted connection, and also
avoid the redirection.

Comment 1

[Dave Miller [:justdave]]

fixed.

Comment 2

[Christian :Biesinger (don't email me, ping me on IRC)]

indeed, thanks

Comment 3

[Gervase Markham [:gerv]]

Myk, Dave: should we be setting "secure=yes" on the login cookie if the initial
login was over SSL?

Gerv

Comment 4

[Myk Melez [:myk] [@mykmelez]]

IMHO we should be encrypting all communications between users and Bugzilla, at
least for logged in users, in which case we wouldn't need to flag logins as secure.

If we don't encrypt all communications, and particularly if we allow users to
log in insecurely, then it might make sense to know who logged in how.  What
would we use the information for?

Comment 5

[Gervase Markham [:gerv]]

> IMHO we should be encrypting all communications between users and Bugzilla, at
> least for logged in users, in which case we wouldn't need to flag logins as 
> secure.

I'm not sure of your logic here.

If you don't set "secure=yes", then when an already-logged-in user clicks an
HTTP link to Bugzilla (such as used to be on Bonsai), an HTTP request is made
with cookies, which is then redirected to an HTTPS request. So the cookies go in
the clear.

If you set "secure=yes", then that initial HTTP link which gets redirected
happens _without_ cookies, so the cookies don't go in the clear. This is what
I'm suggesting. Or have I misunderstood how this works?

Gerv

Comment 6

[Myk Melez [:myk] [@mykmelez]]

Urm, sorry, I misunderstood.  Yes, we should be setting secure=yes, even though
tokens in the clear are only mildly problematic (authentication credentials and
confidential bug information are the more important data to secure).