Recaptcha causes mixed-content SSL warnings on registration

RESOLVED WONTFIX

Status

Websites Graveyard
byob.mozilla.com
P4
major
RESOLVED WONTFIX
9 years ago
4 years ago

People

(Reporter: kev, Assigned: lorchard)

Tracking

(Blocks: 1 bug, {sec-high})

Details

(Whiteboard: [infrasec:tls][ws:high], URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
When loading the registration page, users are presented with the warning that some items in the page are not encrypted. This causes a "broken padlock" warning, and may also cause concern that the information being sent, which is personally identifiable, may not be encrypted between the client and webapp.

The warning appears to be caused by the reCAPTCHA code, and can be corrected by switching to the encrypted API as outlined at http://recaptcha.net/apidocs/captcha/client.html in the "Using reCAPTCHA on an https site" section. Could the registration page please be changed to use the https API to ensure all items in the page are delivered via https?

Steps to reproduce:

- Use a browser that has SSL warnings enabled
- Navigate to https://byob.mozilla.com/register
- A mixed-content message, warning the user that some items were not delivered securely, is displayed.
(Reporter)

Updated

9 years ago
Duplicate of this bug: 523028
Created attachment 406961 [details] [diff] [review]
patch - v1
Assignee: nobody → reed
Status: NEW → ASSIGNED
Attachment #406961 - Flags: review?(lorchard)
Summary: Recpatcha causes mixed-content SSL warnings on registration → Recaptcha causes mixed-content SSL warnings on registration
(Assignee)

Comment 3

9 years ago
Comment on attachment 406961 [details] [diff] [review]
patch - v1

This patch forces SSL for Recaptcha at the helper level, rather than the app level.

I've got a patch from ozten on another project that adds an SSL flag as a parameter to the helper, so I'll probably end up using that
Attachment #406961 - Flags: review?(lorchard) → review-
Assignee: reed → lorchard
(Assignee)

Updated

8 years ago
Priority: -- → P4
Whiteboard: 02 hrs
(Assignee)

Comment 4

8 years ago
Pushing into my bug queue.
(Assignee)

Comment 5

8 years ago
Fixed in r62100
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Depends on: 545572
verified fixed !
Status: RESOLVED → VERIFIED
byob appears to be serving reCAPTCHA scripts over http again.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Whiteboard: 02 hrs → [infrasec:tls][ws:high]
Also, the video on the front page is not served over TLS; this causes mixed content warnings in some browsers regardless of whether or not the browser uses the object: http://www.mozilla.com/includes/flash/playerWithControls.swf?flv=firefox/3.6/whatsnewin36.mp4&autoplay=false&msg=Play%20Video
ups, byob is long dead, so marking wontfix
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago5 years ago
Resolution: --- → WONTFIX
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.