Closed
Bug 591524
Opened 14 years ago
Closed 14 years ago
SSL Needed for Login Landing Page on spreadfirefox.com
Categories
(Websites Graveyard :: spreadfirefox.com, defect)
Websites Graveyard
spreadfirefox.com
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 412354
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:tls] [privacy] [infrasecq4])
Issue The login landing page (the page that accepts the username and password) is accessible over HTTP or HTTPS. A user that views the login page over HTTP could be subjected to a man in the middle attack that could steal the user's credentials after they are entered. The MitM could launch this attack by simply modifying the form's action attribute and forcing the form to post the credentials to the attacker's site instead. In addition, if the login page is accessed over HTTP this site will also post the credentials over cleartext HTTP. Recommended Remediation The login landing page (www.spreadfirefox.com/user?destination=node) should only be accessible over HTTPS. Any attempts to access the page over HTTP should result in a redirect to the HTTPS version.
Reporter | ||
Comment 1•14 years ago
|
||
This one didn't get picked up when it was filed. We need someone to tackle this issue.
Comment 2•14 years ago
|
||
mmhmm. Took over 2 years to close this bug the first time I filed it. I see it's been reopened.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
Whiteboard: [infrasec:tls] → [infrasec:tls] [privacy] [infrasecq4]
Assignee | ||
Updated•13 years ago
|
Product: Websites → Websites Graveyard
Updated•12 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•