Closed Bug 622478 Opened 13 years ago Closed 13 years ago

Insecure transition from HTTP to HTTPS

Categories

(www.mozilla.org :: General, defect)

x86_64
Windows 7
defect
Not set
major

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: geeknik, Unassigned)

Details

(Whiteboard: [infrasec:tls][ws:low])

The following forms are being served from an insecure (HTTP) page. These pages could be hijacked using a Man-in-the-middle attack and an attacker could replace the form target.

http://www.mozilla.org/
Form name: ""
Form action: "https://www.mozilla.com/en-US/newsletter/"

http://www.mozilla.org/developer 
Form name: ""
Form action: "https://bugzilla.mozilla.org/show_bug.cgi"

The impact of this vulnerability is possible information disclosure.
If there's a MITM rewriting the www.mozilla.org pages then anything could look like anything and would probably fool the user.

The bugzilla link is HTTPS because bugzilla.mozilla.org is only available over HTTPS, not because the search terms sent are considered super private data that needs protecting.

I'm only guessing about the newsletter one, but it might be HTTPS so they don't have to worry about generating dynamic content. That way if the user goes to https://www.mozilla.org instead of http://www.mozilla.org they won't get a "submitting to insecure page" warning.
Whiteboard: [infrasec:tls][ws:low]
There is no secure data being protected here, https is used only for convenience.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in before you can comment on or make changes to this bug.