Issue The login landing page (the page that accepts the username and password) is accessible over HTTP or HTTPS. A user that views the login page over HTTP could be subjected to a man in the middle attack that could steal the user's credentials after they are entered. The MitM could launch this attack by simply modifying the form's action attribute and forcing the form to post the credentials to the attacker's site instead. In addition, if the login page is accessed over HTTP this site will also post the credentials over cleartext HTTP. Recommended Remediation The login landing page (www.spreadfirefox.com/user?destination=node) should only be accessible over HTTPS. Any attempts to access the page over HTTP should result in a redirect to the HTTPS version.
This one didn't get picked up when it was filed. We need someone to tackle this issue.
mmhmm. Took over 2 years to close this bug the first time I filed it. I see it's been reopened.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 412354
Status: RESOLVED → VERIFIED
Whiteboard: [infrasec:tls] → [infrasec:tls] [privacy] [infrasecq4]
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.