Closed
Bug 567469
Opened 15 years ago
Closed 14 years ago
Use SSL to Protect Submitted Passwords & Session Ids
Categories
(Websites :: Other, defect)
Websites
Other
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:tls])
Issue
SSL is not currently used for any of the sixgill pages (http://dm-sixgill01.mozilla.org). As a result the login process will always transmit the username and password in clear text from the client to the server.
Recommended Remediation
Use SSL throughout the entire site to protect the password submitted during login and any session identifiers to represent the authenticated user. All requests to non-ssl pages should immediately redirect to the SSL login page. It is also recommended to set the force-tls header to instruct compatible browsers to always request the page over SSL.
|
||
Updated•15 years ago
|
Group: core-security → websites-security
Component: Rewriting and Analysis → Other
Product: Core → Websites
QA Contact: rewriting-and-analysis → other
|
Reporter | |
Updated•15 years ago
|
Group: websites-security → core-security
Component: Other → Rewriting and Analysis
Product: Websites → Core
QA Contact: other → rewriting-and-analysis
|
|
Reporter | |
Updated•15 years ago
|
Group: core-security → websites-security
Component: Rewriting and Analysis → Other
Product: Core → Websites
QA Contact: rewriting-and-analysis → other
|
||
Comment 1•14 years ago
|
||
Is this fixed now? If I try to get to any of the dm-sixgill01 pages under http then I'm redirected to the main page under https.
|
|
Reporter | |
Updated•14 years ago
|
|
|
Reporter | |
Comment 2•14 years ago
|
||
It looks like they have made some changes towards resolving this. Has the login been removed? I don't see a link for it anymore. I'd like to test that before closing this.
|
|
||
Comment 3•14 years ago
|
||
I'm going to be removing the whole half-baked cleartext login system today so all authentication is through LDAP, will post here when that's ready to look at.
|
|
||
Comment 4•14 years ago
|
||
The non-LDAP login system has been removed in the latest reports.
|
|
||
Comment 5•14 years ago
|
||
This still needs review.
|
|
Reporter | |
Comment 6•14 years ago
|
||
Confirmed old auth system is removed. LDAP auth is over https
|
|
Reporter | |
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•