Closed
Bug 398239
Opened 18 years ago
Closed 17 years ago
HTTPS should be used for sensitive info pages (login, register, etc.)
Categories
(support.mozilla.org :: Knowledge Base Software, task)
support.mozilla.org
Knowledge Base Software
Tracking
(Not tracked)
VERIFIED
FIXED
0.8
People
(Reporter: reed, Assigned: nkoth)
References
()
Details
(Keywords: push-needed, Whiteboard: tiki_fixed)
Attachments
(1 file)
|
4.31 KB,
patch
|
laura
:
review+
|
Details | Diff | Splinter Review |
Right now, http://support.mozilla.com/kb/tiki-register.php and http://support.mozilla.com/kb/tiki-login_scr.php are on HTTP (non-SSL), which means anybody monitoring the networking traffic between a user's computer and the server running support.mozilla.com can easily sniff the user's password. HTTPS (SSL) should be used on any sensitive pages such as register, login, etc. to prevent this.
|
||
Comment 1•18 years ago
|
||
This is known. The app needs refactoring to support this on the register/edit/login pages. It's on my TODO list.
I assume you already filed a bug against wikimo?
Assignee: nobody → morgamic
|
|
||
Updated•18 years ago
|
Status: NEW → ASSIGNED
|
Reporter | |
Comment 2•18 years ago
|
||
(In reply to comment #1)
> I assume you already filed a bug against wikimo?
Of course. Bug 397125.
Other related bugs:
* Bug 269012
* Bug 390836
* Bug 395540
* Bug 396008
* Bug 397123
|
|
||
Comment 3•18 years ago
|
||
Here's your gold star.
|
Assignee | |
Comment 4•18 years ago
|
||
morgamic,
What exactly needs to be done here? Perhaps I can help?
|
|
Assignee | |
Updated•17 years ago
|
Target Milestone: --- → 0.6
|
||
Updated•17 years ago
|
Target Milestone: 0.6 → 0.7
|
|
||
Updated•17 years ago
|
Target Milestone: 0.7 → 0.6.2
|
|
||
Comment 5•17 years ago
|
||
morgamic, should I reassign this?
|
|
||
Updated•17 years ago
|
Assignee: morgamic → nobody
Status: ASSIGNED → NEW
|
|
||
Comment 6•17 years ago
|
||
We basically just need to require SSL on the login page.
|
|
||
Updated•17 years ago
|
Assignee: nobody → laura
|
|
||
Updated•17 years ago
|
Target Milestone: 0.6.2 → 0.6.3
|
|
||
Comment 7•17 years ago
|
||
I think it would be better if we then required SSL both on the login page and once a user was logged in, to avoid MITM attacks.
|
|
||
Comment 8•17 years ago
|
||
I note Tiki has an admin setting to require HTTPS login - we can turn this on in the next maintenance window. Nelson, will that do the trick, or is there more we need to do?
|
|
||
Comment 9•17 years ago
|
||
Having some problems on support-stage with HTTPS which blocks testing (bug 452802)...let's hold this over to 0.6.4, although we may be able to do it sooner since it's basically just a setting change.
Target Milestone: 0.6.3 → 0.6.4
|
|
||
Comment 10•17 years ago
|
||
Testing with this on support-stage shows there's a bug somewhere - when you turn on required https login in tiki login redirects you to tiki-login.php instead of tiki-login_scr.php. Looks like we'll need a code change instead.
|
|
||
Updated•17 years ago
|
Target Milestone: 0.6.4 → 0.7
|
|
Assignee | |
Comment 11•17 years ago
|
||
I think redirect to tiki-login.php instead of tiki-login_scr.php is intended and desired to effect login.
It looks like https://support-stage.mozilla.org/...anything... (e.g. https://support-stage.mozilla.org/en-US/kb) 404s though, and https://support-stage.mozilla.org/ redirects to http://www.mozilla.org/
|
|
||
Updated•17 years ago
|
Target Milestone: 0.7 → 0.8
|
|
||
Comment 12•17 years ago
|
||
Reassigning to nelson after IRC discussion, thanks Nelson.
Assignee: laura → nelson
|
|
Assignee | |
Comment 13•17 years ago
|
||
Can someone tell my why the following statement resolves to false on support-stage.mozilla.org even if I submit a https request?
if ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' || $_SERVER['SERVER_PORT'] == 443 )
|
||
Comment 14•17 years ago
|
||
If it's behind the netscaler the SSL is being offloaded before it hits your script. Not sure if it's a global setting on the netscaler but it sets HTTP_MOZ_REQ_METHOD on AMO. If it's setting it for you too, something like this in your init file should fix it:
if (isset($_SERVER['HTTP_MOZ_REQ_METHOD']) && $_SERVER['HTTP_MOZ_REQ_METHOD'] == 'HTTPS') {
$_SERVER['HTTPS'] = 'on';
}
|
|
Reporter | |
Comment 15•17 years ago
|
||
or IT can just add |SetEnv HTTPS on| to the vhost... we've done that before.
|
|
Assignee | |
Comment 16•17 years ago
|
||
This patch is already in the current trunk (r20736). Will commit to production after reviewed.
Actual https requirement must be set to "Require SSL" in the TikiWiki admin panel in admin...login.
Default has been set for user not to stay in SSL after logging in. If anyone disagrees with this, I can change the default behavior to "Stay in ssl".
Attachment #352505 -
Flags: review?(laura)
|
|
||
Comment 17•17 years ago
|
||
Comment on attachment 352505 [details] [diff] [review]
https support behind netscalar
This all looks fine. Let's test/verify it extensively on support-stage though (stephend ftw!)
Attachment #352505 -
Flags: review?(laura) → review+
|
|
Assignee | |
Comment 18•17 years ago
|
||
Comment on attachment 352505 [details] [diff] [review]
https support behind netscalar
in r20738 in production. Will be in effective after turning on, after push.
|
|
Assignee | |
Updated•17 years ago
|
(In reply to comment #17)
> (From update of attachment 352505 [details] [diff] [review])
> This all looks fine. Let's test/verify it extensively on support-stage though
> (stephend ftw!)
Added bug 469095 and 469096 to the dependency list.
OK; verified fixed. Bug 469095 and bug 469096 are scoped post-release, accordingly.
Status: RESOLVED → VERIFIED
|
||
Updated•16 years ago
|
Whiteboard: tiki_triage
|
||
Comment 21•16 years ago
|
||
All this part was rewritten by nyloth. Need to check if new method is suitable for SUMO.
Whiteboard: tiki_triage → tiki_fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•