Closed Bug 591524 Opened 14 years ago Closed 14 years ago

SSL Needed for Login Landing Page on spreadfirefox.com

Categories

(Websites Graveyard :: spreadfirefox.com, defect)

Product:
Websites Graveyard
Component:
spreadfirefox.com
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 412354

People

(Reporter: mcoates, Unassigned)

References

(
URL
)

Details

(Whiteboard: [infrasec:tls] [privacy] [infrasecq4]) 

Issue

The login landing page (the page that accepts the username and password) is accessible over HTTP or HTTPS. A user that views the login page over HTTP could be subjected to a man in the middle attack that could steal the user's credentials after they are entered. The MitM could launch this attack by simply modifying the form's action attribute and forcing the form to post the credentials to the attacker's site instead.

In addition, if the login page is accessed over HTTP this site will also post the credentials over cleartext HTTP.


Recommended Remediation

The login landing page (www.spreadfirefox.com/user?destination=node) should only be accessible over HTTPS. Any attempts to access the page over HTTP should result in a redirect to the HTTPS version.
This one didn't get picked up when it was filed. We need someone to tackle this issue.
mmhmm.  Took over 2 years to close this bug the first time I filed it.  I see it's been reopened.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Verified duplicate.
Status: RESOLVED → VERIFIED
Whiteboard: [infrasec:tls] → [infrasec:tls] [privacy] [infrasecq4]
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.